Goodmorning Network... ZOGs At 00:05:03 this morning I have started to receive intermittent CodeRed probes again... 9 in total. In the first pass by CodeRed I received
12,000 probes
I have now started running a packet analyser to capture the additional binary payload packets to see whether it has been mutated... Last night Symantec were saying the only way it would start again is if it was reinjected into the Network. According to Symantec (yesterday) the original version was coded to permanently hibernate - so if we are receiving probes again it must mean someone has put it back in the wild... If so it may be a different beast... I am looking for some commonality in the probes - last time a pseudo random variable of the TCP Header was the same in the majority of the probes I received from different IP addresses which led me to believe that this is in part delivered by IP spoofing - If this is the case we should be able to follow the MAC addresses back to a point of origin... Anyone here had experience with tracking down spoofed IP address attacks... I will work with you... Best regards Michael Sutton www.awacs.co.nz
-----Original Message----- From: owner-nznog(a)list.waikato.ac.nz [mailto:owner-nznog(a)list.waikato.ac.nz]On Behalf Of Neil Sent: Thursday, August 02, 2001 02:16 To: Thomas Salmen Cc: nznog(a)list.waikato.ac.nz Subject: Re: Code Red (Take Two)
I administer a few web server's (No IIS) for people, one that is in New Zealand has had 24 hit's since 3:20 this morning, one that is in the US has had 223 hit's. I have not had a good look at the Code Red worm but it seems to me that it is concentrating it's scans to known US address block's.
Neil Fincham Integral LTD
----- Original Message ----- From: "Thomas Salmen"
To: Sent: Thursday, August 02, 2001 2:12 PM Subject: Code Red (Take Two) Just curious... have many people been affected by the second
round of Code
Red infections? We have seen plenty of inbound traffic here (well, the odd bit, anyway) but very few of our customers web servers have been hit - not like last time...
Regards,
Thomas Salmen System Administrator
Radionet Ltd. 1/72 Paul Matthews Road Albany, Auckland, New Zealand Ph: +64 9 414 0300 ext 718
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog