RE: code red goes on

2001-08-09 Thread Ian Perry
I have noticed a new entry in the apache access logs as follows. Also the CR2 accesses have dropped off to almost zero. 210.204.88.105 - - [09/Aug/2001:14:54:44 +1000] "-" 408 - 210.72.200.39 - - [09/Aug/2001:15:04:31 +1000] "-" 408 - 210.182.140.14 - - [09/Aug/2001:15:05:15 +1000] "-" 408 - 210.1

Re: code red goes on

2001-08-07 Thread Dave Sherohman
On Mon, Aug 06, 2001 at 09:32:33AM +, John Griffiths wrote: > Code Reds Mark II and III have already been identified, Where can I find information on CR3? -- With the arrest of Dimitry Sklyarov it has become apparent that it is not safe for non US software engineers to visit the United State

Re: code red goes on

2001-08-07 Thread Dave Sherohman
On Mon, Aug 06, 2001 at 12:43:57PM -0600, John Galt wrote: > CR2 is actually seeming to have a twist in it's IP picker that weights it > to the subnets where cable/dsl users are the rule. According to incidents.org, the weighting is actually set up to favor the local subnets. It only pounds cable

RE: code red goes on

2001-08-06 Thread Ian Perry
I just had a look at another site I look after. It appears from the apache logs that Code Red has not hitting there since 5th August, yet web requests are getting through. It is being filterred ate the ISP level. Ian

Re: code red goes on

2001-08-06 Thread John Galt
On Mon, 6 Aug 2001, Chris Niekel wrote: >On Sun, Aug 05, 2001 at 07:02:35PM -0600, John Galt wrote: >> [...] >> CodeRed2. Nastier: it also copies cmd.exe to root.exe, and installs a >> pseudo-r00tkit. If the IIS admins didn't learn the first time, they got >> screwed hardcore the second. Not ev

Re: code red goes on

2001-08-06 Thread Chris Niekel
On Sun, Aug 05, 2001 at 07:02:35PM -0600, John Galt wrote: > [...] > CodeRed2. Nastier: it also copies cmd.exe to root.exe, and installs a > pseudo-r00tkit. If the IIS admins didn't learn the first time, they got > screwed hardcore the second. Not even a reacharound this time. I get hit every 2

RE: code red goes on

2001-08-05 Thread John Griffiths
> >There has definately been a change in the original form of the attacks from ># GET /default.ida?N -snip- NN%u9090% -snip- 0%u00=a HTTP/1.0 >to ># GET /default.ida?X -snip- XX%u9090% -snip- 0%u00=a HTTP/1.0 >The second packet is also much shorter (with less X's), although the tail is >t

Re: code red goes on

2001-08-05 Thread Allen Wayne Best
after reading that "apparently" the latest code red attacks are coming from unsuspecting users of that utimate computer virus, i decided to scan the access log file and send messages to the "best guess" person at the owner of the ip address (usually a dial-up provider). i modified the script by

RE: code red goes on

2001-08-05 Thread Ian Perry
> -Original Message- > From: Alan Shutko [mailto:[EMAIL PROTECTED] > Sent: Friday, August 03, 2001 11:18 PM > To: debian-user@lists.debian.org > Subject: Re: code red goes on > > > "Karsten M. Self" writes: > > > Anyone noting tren

Re: code red goes on

2001-08-05 Thread John Griffiths
At 05:51 PM 8/5/01 -0700, Karsten M. Self wrote: >on Mon, Aug 06, 2001 at 09:32:33AM +, John Griffiths ([EMAIL PROTECTED]) >wrote: > >> Code Reds Mark II and III have already been identified, doing much >> more maicious things and spreading with better randomisation >> >> Hopefully a "cheese

RE: code red goes on

2001-08-05 Thread John Galt
On Mon, 6 Aug 2001, Ian Perry wrote: > > >> -Original Message- >> From: Alan Shutko [mailto:[EMAIL PROTECTED] >> Sent: Friday, August 03, 2001 11:18 PM >> To: debian-user@lists.debian.org >> Subject: Re: code red goes on >> >> >> &

Re: code red goes on

2001-08-05 Thread Karsten M. Self
on Mon, Aug 06, 2001 at 09:32:33AM +, John Griffiths ([EMAIL PROTECTED]) wrote: > Code Reds Mark II and III have already been identified, doing much > more maicious things and spreading with better randomisation > > Hopefully a "cheese worm" equivalent will be relased to stomp on this > befo

Re: code red goes on

2001-08-03 Thread Dave Sherohman
On Fri, Aug 03, 2001 at 12:29:05AM -0500, ktb wrote: > From what little I have read about it the site in question is defaced > if it is a page containing English. I'm sure someone who has payed more > attention could list exactly what it does. After infecting a system with U.S. English as the de

Re: code red goes on

2001-08-03 Thread Dave Sherohman
On Fri, Aug 03, 2001 at 05:30:12PM +, John Griffiths wrote: > on the 20th of the months the infected machines are all going to launch a > denial of service attack at a web-server somewhere (last time was the IP > address of the whitehouse but that mor, or may not, have changed) I have it fro

Re: code red goes on

2001-08-03 Thread Mike Egglestone
Thanks for the responses... Hehehe... I changed an NT 4.0 Server to a REAL server about 2 months ago... (Potato r3) ... put in apache, samba etc. I think it was using MS II...(is that what NT uses?) I'm not sure though... I know very little about NT... I guess thats why I changed it to something

Re: code red goes on

2001-08-03 Thread Alan Shutko
"Karsten M. Self" writes: > Anyone noting trends between 7/20 and 8/2? I've got 30 v. 49, > respectively. Looks like this is actually the bigger attack. http://www.incidents.org says that we've already gotten more infected machines than July 20th, although probes seem to have leveled off. I'v

Re: code red goes on

2001-08-03 Thread John Griffiths
At 12:27 AM 8/3/01 -0700, Mike Egglestone wrote: >Hi.. > >I grepped my access logs and noticed the "default.ida? etc etc.. > >What does this mean? >Have I been attacked? or was it an attemped attack? > >What exactly does the virus do to the system? > >Thanks >Mike > If your run unpatched MS we

Re: code red goes on

2001-08-03 Thread Mike Egglestone
Hi.. I grepped my access logs and noticed the "default.ida? etc etc.. What does this mean? Have I been attacked? or was it an attemped attack? What exactly does the virus do to the system? Thanks Mike Quoting Matthias Richter <[EMAIL PROTECTED]>: > ktb wrote on Fri Aug 03, 2001 at 12:29:

Re: code red goes on

2001-08-03 Thread Matthias Richter
ktb wrote on Fri Aug 03, 2001 at 12:29:05AM: > On Thu, Aug 02, 2001 at 10:08:56PM -0700, Karsten M. Self wrote: > > ...gives a hostlist. Anyone know of a central repository who might be > > collecting same and sending LARTs to the appropriate sysops? http://www.dshield.org/codered.html> are coll

Re: code red goes on

2001-08-03 Thread Craig Dickson
Karsten M. Self wrote: > Hmmm: > > grep 'default\.ida' /var/log/apache/access.log | awk '{print $1}' > > ...gives a hostlist. Anyone know of a central repository who might be > collecting same and sending LARTs to the appropriate sysops? Or is that > a complete [EMAIL PROTECTED]&*() waste

Re: code red goes on

2001-08-03 Thread John Griffiths
>> > >> > >> > if you grep your http access log for "default.ida" (good sign >> > of a code red attempt on an apache box) >> > >> > you'll see that code red has infected as many new machines in >> > the alst two days as it did on 20 July > >> I have had 47 in the last 24 hrs. > >Please use follow-u

Re: code red goes on

2001-08-03 Thread Karsten M. Self
on Fri, Aug 03, 2001 at 03:16:00PM +1000, Ian Perry ([EMAIL PROTECTED]) wrote: > > -Original Message- > > From: John Griffiths [mailto:[EMAIL PROTECTED] > > Sent: Saturday, August 04, 2001 12:54 AM > > To: debian-user@lists.debian.org > > Subject: code red g

Re: code red goes on

2001-08-03 Thread John Griffiths
At 10:08 PM 8/2/01 -0700, Karsten M. Self wrote: >on Fri, Aug 03, 2001 at 02:54:01PM +, John Griffiths ([EMAIL PROTECTED]) >wrote: >> if you grep your http access log for "default.ida" (good sign of a >> code red attempt on an apache box) >> >> you'll see that code red has infected as many ne

Re: code red goes on

2001-08-03 Thread ktb
On Thu, Aug 02, 2001 at 10:08:56PM -0700, Karsten M. Self wrote: > on Fri, Aug 03, 2001 at 02:54:01PM +, John Griffiths ([EMAIL PROTECTED]) > wrote: > > if you grep your http access log for "default.ida" (good sign of a > > code red attempt on an apache box) > > > > you'll see that code red h

RE: code red goes on

2001-08-03 Thread Ian Perry
I have had 47 in the last 24 hrs. > -Original Message- > From: John Griffiths [mailto:[EMAIL PROTECTED] > Sent: Saturday, August 04, 2001 12:54 AM > To: debian-user@lists.debian.org > Subject: code red goes on > > > if you grep your http access log for "defaul

Re: code red goes on

2001-08-03 Thread Karsten M. Self
on Fri, Aug 03, 2001 at 02:54:01PM +, John Griffiths ([EMAIL PROTECTED]) wrote: > if you grep your http access log for "default.ida" (good sign of a > code red attempt on an apache box) > > you'll see that code red has infected as many new machines in the alst > two days as it did on 20 July

code red goes on

2001-08-02 Thread John Griffiths
if you grep your http access log for "default.ida" (good sign of a code red attempt on an apache box) you'll see that code red has infected as many new machines in the alst two days as it did on 20 July