> -----Original Message----- > From: Alan Shutko [mailto:[EMAIL PROTECTED] > Sent: Friday, August 03, 2001 11:18 PM > To: debian-user@lists.debian.org > Subject: Re: code red goes on > > > "Karsten M. Self" <kmself@ix.netcom.com> writes: > > > Anyone noting trends between 7/20 and 8/2? I've got 30 v. 49, > > respectively. Looks like this is actually the bigger attack. > > http://www.incidents.org says that we've already gotten more infected > machines than July 20th, although probes seem to have leveled off. > > I've heard that this is a slight change on the original code red which > seeds the RNG used to pick hosts to try, and it's thus hitting lots of > hosts which weren't in the first round. >
There has definately been a change in the original form of the attacks from # GET /default.ida?NNNNN -snip- NN%u9090% -snip- 0%u00=a HTTP/1.0 to # GET /default.ida?XXXXX -snip- XX%u9090% -snip- 0%u00=a HTTP/1.0 The second packet is also much shorter (with less X's), although the tail is the same. The increase in traffic over the last few days has been marked. Sept - 0 hits 1 Aug - 3 hits 0.1 per hr 2 Aug - 22 hits 0.9/hr 3 Aug - 33 Hits 1.4/hr 4 Aug - 41 Hits 1.7/hr 5 Aug - 167 Hits 6.9/hr 6 Aug - 79 Hits 10.0/hr (only 8 hrs of data) I can see this is going to be a real problem in the upcoming weeks. I have noticed on the end of each access in the log, Apache gives "404 205" 404 I guess means page not found, but on two occassions it looks like it gave a "200 - ". Strange. I thought a valid access was 200. Ian