I have noticed a new entry in the apache access logs as follows.
Also the CR2 accesses have dropped off to almost zero.
210.204.88.105 - - [09/Aug/2001:14:54:44 +1000] - 408 -
210.72.200.39 - - [09/Aug/2001:15:04:31 +1000] - 408 -
210.182.140.14 - - [09/Aug/2001:15:05:15 +1000] - 408 -
On Mon, Aug 06, 2001 at 12:43:57PM -0600, John Galt wrote:
CR2 is actually seeming to have a twist in it's IP picker that weights it
to the subnets where cable/dsl users are the rule.
According to incidents.org, the weighting is actually set up to favor
the local subnets. It only pounds
On Mon, Aug 06, 2001 at 09:32:33AM +, John Griffiths wrote:
Code Reds Mark II and III have already been identified,
Where can I find information on CR3?
--
With the arrest of Dimitry Sklyarov it has become apparent that it is not
safe for non US software engineers to visit the United
On Sun, Aug 05, 2001 at 07:02:35PM -0600, John Galt wrote:
[...]
CodeRed2. Nastier: it also copies cmd.exe to root.exe, and installs a
pseudo-r00tkit. If the IIS admins didn't learn the first time, they got
screwed hardcore the second. Not even a reacharound this time.
I get hit every 2
On Mon, 6 Aug 2001, Chris Niekel wrote:
On Sun, Aug 05, 2001 at 07:02:35PM -0600, John Galt wrote:
[...]
CodeRed2. Nastier: it also copies cmd.exe to root.exe, and installs a
pseudo-r00tkit. If the IIS admins didn't learn the first time, they got
screwed hardcore the second. Not even a
I just had a look at another site I look after.
It appears from the apache logs that Code Red has not hitting there since
5th August, yet web requests are getting through.
It is being filterred ate the ISP level.
Ian
on Mon, Aug 06, 2001 at 09:32:33AM +, John Griffiths ([EMAIL PROTECTED])
wrote:
Code Reds Mark II and III have already been identified, doing much
more maicious things and spreading with better randomisation
Hopefully a cheese worm equivalent will be relased to stomp on this
before we
On Mon, 6 Aug 2001, Ian Perry wrote:
-Original Message-
From: Alan Shutko [mailto:[EMAIL PROTECTED]
Sent: Friday, August 03, 2001 11:18 PM
To: debian-user@lists.debian.org
Subject: Re: code red goes on
Karsten M. Self kmself@ix.netcom.com writes:
Anyone noting trends between
At 05:51 PM 8/5/01 -0700, Karsten M. Self wrote:
on Mon, Aug 06, 2001 at 09:32:33AM +, John Griffiths ([EMAIL PROTECTED])
wrote:
Code Reds Mark II and III have already been identified, doing much
more maicious things and spreading with better randomisation
Hopefully a cheese worm
-Original Message-
From: Alan Shutko [mailto:[EMAIL PROTECTED]
Sent: Friday, August 03, 2001 11:18 PM
To: debian-user@lists.debian.org
Subject: Re: code red goes on
Karsten M. Self kmself@ix.netcom.com writes:
Anyone noting trends between 7/20 and 8/2? I've got 30 v. 49
after reading that apparently the latest code red attacks are coming from
unsuspecting users of that utimate computer virus, i decided to scan the
access log file and send messages to the best guess person at the owner of
the ip address (usually a dial-up provider).
i modified the script by
There has definately been a change in the original form of the attacks from
# GET /default.ida?N -snip- NN%u9090% -snip- 0%u00=a HTTP/1.0
to
# GET /default.ida?X -snip- XX%u9090% -snip- 0%u00=a HTTP/1.0
The second packet is also much shorter (with less X's), although the tail is
the
on Fri, Aug 03, 2001 at 02:54:01PM +, John Griffiths ([EMAIL PROTECTED])
wrote:
if you grep your http access log for default.ida (good sign of a
code red attempt on an apache box)
you'll see that code red has infected as many new machines in the alst
two days as it did on 20 July
Hmmm:
I have had 47 in the last 24 hrs.
-Original Message-
From: John Griffiths [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 04, 2001 12:54 AM
To: debian-user@lists.debian.org
Subject: code red goes on
if you grep your http access log for default.ida (good sign
of a code red
On Thu, Aug 02, 2001 at 10:08:56PM -0700, Karsten M. Self wrote:
on Fri, Aug 03, 2001 at 02:54:01PM +, John Griffiths ([EMAIL PROTECTED])
wrote:
if you grep your http access log for default.ida (good sign of a
code red attempt on an apache box)
you'll see that code red has infected
At 10:08 PM 8/2/01 -0700, Karsten M. Self wrote:
on Fri, Aug 03, 2001 at 02:54:01PM +, John Griffiths ([EMAIL PROTECTED])
wrote:
if you grep your http access log for default.ida (good sign of a
code red attempt on an apache box)
you'll see that code red has infected as many new machines
on Fri, Aug 03, 2001 at 03:16:00PM +1000, Ian Perry ([EMAIL PROTECTED]) wrote:
-Original Message-
From: John Griffiths [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 04, 2001 12:54 AM
To: debian-user@lists.debian.org
Subject: code red goes on
if you grep your http access
if you grep your http access log for default.ida (good sign
of a code red attempt on an apache box)
you'll see that code red has infected as many new machines in
the alst two days as it did on 20 July
I have had 47 in the last 24 hrs.
Please use follow-up response.
Anyone noting
Karsten M. Self wrote:
Hmmm:
grep 'default\.ida' /var/log/apache/access.log | awk '{print $1}'
...gives a hostlist. Anyone know of a central repository who might be
collecting same and sending LARTs to the appropriate sysops? Or is that
a complete [EMAIL PROTECTED]*() waste of
ktb wrote on Fri Aug 03, 2001 at 12:29:05AM:
On Thu, Aug 02, 2001 at 10:08:56PM -0700, Karsten M. Self wrote:
...gives a hostlist. Anyone know of a central repository who might be
collecting same and sending LARTs to the appropriate sysops?
URL:http://www.dshield.org/codered.html are
Hi..
I grepped my access logs and noticed the default.ida? etc etc..
What does this mean?
Have I been attacked? or was it an attemped attack?
What exactly does the virus do to the system?
Thanks
Mike
Quoting Matthias Richter [EMAIL PROTECTED]:
ktb wrote on Fri Aug 03, 2001 at
At 12:27 AM 8/3/01 -0700, Mike Egglestone wrote:
Hi..
I grepped my access logs and noticed the default.ida? etc etc..
What does this mean?
Have I been attacked? or was it an attemped attack?
What exactly does the virus do to the system?
Thanks
Mike
If your run unpatched MS webservers
Karsten M. Self kmself@ix.netcom.com writes:
Anyone noting trends between 7/20 and 8/2? I've got 30 v. 49,
respectively. Looks like this is actually the bigger attack.
http://www.incidents.org says that we've already gotten more infected
machines than July 20th, although probes seem to have
Thanks for the responses...
Hehehe... I changed an NT 4.0 Server to a REAL server about
2 months ago... (Potato r3) ... put in apache, samba etc.
I think it was using MS II...(is that what NT uses?)
I'm not sure though...
I know very little about NT... I guess thats why I changed it
to something
On Fri, Aug 03, 2001 at 05:30:12PM +, John Griffiths wrote:
on the 20th of the months the infected machines are all going to launch a
denial of service attack at a web-server somewhere (last time was the IP
address of the whitehouse but that mor, or may not, have changed)
I have it from
On Fri, Aug 03, 2001 at 12:29:05AM -0500, ktb wrote:
From what little I have read about it the site in question is defaced
if it is a page containing English. I'm sure someone who has payed more
attention could list exactly what it does.
After infecting a system with U.S. English as the
26 matches
Mail list logo
