RE: Full analysis of the .ida "Code Red" worm.
Hits on my home connection started at 4:51am, with 17 unique source addresses logged so far. Greg
-----Original Message----- From: Juha Saarinen [mailto:juha(a)saarinen.org] Sent: Friday, 20 July 2001 9:50 am To: 'Dean Pemberton'; 'Chris Rigby' Cc: nznog(a)list.waikato.ac.nz Subject: RE: Full analysis of the .ida "Code Red" worm.
12 hits on my home server only... many more on the IDG ones :-(
--
Juha
To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Fri, 20 Jul 2001, Greg Clare wrote:
Hits on my home connection started at 4:51am, with 17 unique source addresses logged so far.
First hit on wibble.net was 03:22 this morning... so far it's up to 23... Linux.net.nz (the other interface) is at 25, starting from 03:29 today. So that's 48 attacks on 2 IP addresses in less than 9 hours. A lot seem to be from domestic connections - s216-232-94-216.bc.hsia.telus.net for example. A few from iprimus.net.au customer addresses... This is nasty! -- Dylan Reeve - dylan(a)wibble.net "Um, yeah." --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Fri, 20 Jul 2001, Dylan Reeve wrote:
So that's 48 attacks on 2 IP addresses in less than 9 hours. A lot seem to be from domestic connections - s216-232-94-216.bc.hsia.telus.net for example. A few from iprimus.net.au customer addresses...
Interestingly, the QSI web servers have so far received 0 hits... (not that we have any MS servers anyway) My personal webserver (hosted elsewhere) has received attacks from 24 unique hosts since about 5am this morning, from the list below: Whats even more interesting is that looking at cache logs for the QSI auckland dialups, There are 0 (in the last hour anyway) attempts coming FROM qsi dialups. However, i put the cacheflow into reverse mode too (proxying traffic from the net destined for port 80 on the QSI dialup pools), and it averages 27 hits per minute, from a huge variety of sources... the majority of which have unresolveable IP's) ------- List of hosts attacking tombstone.b.org.nz -------- 193.114.91.162 194.42.247.8 203.41.148.120 205.142.207.10 210.189.254.11 210.64.2.33 211.20.30.3 211.206.127.64 212.35.226.152 216.126.231.151 217.57.167.106 62.172.142.55 62.243.4.148 62.81.224.27 63.142.84.37 63.220.121.10 64.148.84.66 adsl-64-169-186-250.dsl.snfc21.pacbell.net cpe-24-221-197-146.co.sprintbbd.net dsl-216.222.104-114.boi.rmci.net h24-78-84-224.vc.shawcable.net ip-216-221-140-34.cust-ip.discovernet.net ip108.usw10.rb1.bel.nwlink.com w019.z065104053.lax-ca.dsl.cnc.net --- Matt Camp --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
After 6days The attacks have stoped hitting my server in the past 10 minutes ... Who did what to whom... where is the corpse.... Michael --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Fri, 20 Jul 2001, Mike Sutton [ awacs ] wrote:
After 6days The attacks have stoped hitting my server in the past 10 minutes ...
Who did what to whom... where is the corpse....
At noon that started flooding www.whitehouse.gov . They'll do that for the next week or so. However there are variations of the worm out that will do other things. -- Simon Lyall. | Newsmaster | Work: simon.lyall(a)ihug.co.nz Senior Network/System Admin | Postmaster | Home: simon(a)darkmere.gen.nz ihug, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
participants (5)
-
Dylan Reeve -
Greg Clare -
Matt Camp -
Mike Sutton [ awacs ] -
Simon Lyall