Code Red (Take Two)

Thomas Salmen

1 Aug 2001 1 Aug '01

9:12 a.m.

Just curious... have many people been affected by the second round of Code Red infections? We have seen plenty of inbound traffic here (well, the odd bit, anyway) but very few of our customers web servers have been hit - not like last time... Regards, Thomas Salmen System Administrator Radionet Ltd. 1/72 Paul Matthews Road Albany, Auckland, New Zealand Ph: +64 9 414 0300 ext 718 --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Show replies by date

Neil

1 Aug 1 Aug

9:15 a.m.

I administer a few web server's (No IIS) for people, one that is in New Zealand has had 24 hit's since 3:20 this morning, one that is in the US has had 223 hit's. I have not had a good look at the Code Red worm but it seems to me that it is concentrating it's scans to known US address block's. Neil Fincham Integral LTD ----- Original Message ----- From: "Thomas Salmen" To: Sent: Thursday, August 02, 2001 2:12 PM Subject: Code Red (Take Two)

...

Just curious... have many people been affected by the second round of Code Red infections? We have seen plenty of inbound traffic here (well, the odd bit, anyway) but very few of our customers web servers have been hit - not like last time...

Regards,

Thomas Salmen System Administrator

Radionet Ltd. 1/72 Paul Matthews Road Albany, Auckland, New Zealand Ph: +64 9 414 0300 ext 718

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Tim Shackleton

9:18 a.m.

I haven't had any hits in the last few days... Got about 20 in the last round. Not a big deal really, for me at least. On Thu, 2 Aug 2001, Neil wrote:

...

I administer a few web server's (No IIS) for people, one that is in New Zealand has had 24 hit's since 3:20 this morning, one that is in the US has had 223 hit's. I have not had a good look at the Code Red worm but it seems to me that it is concentrating it's scans to known US address block's.

Neil Fincham Integral LTD

----- Original Message ----- From: "Thomas Salmen" To: Sent: Thursday, August 02, 2001 2:12 PM Subject: Code Red (Take Two)

...
Just curious... have many people been affected by the second round of Code Red infections? We have seen plenty of inbound traffic here (well, the odd bit, anyway) but very few of our customers web servers have been hit - not like last time...

Regards,

Thomas Salmen System Administrator

Radionet Ltd. 1/72 Paul Matthews Road Albany, Auckland, New Zealand Ph: +64 9 414 0300 ext 718

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Tim J. Shackleton ------------------+ +- Business http://www.netlink.co.nz/ Networks Admin/Programmer ----------+ +- Personal http://www.netnet.net.nz/ Netlink LTD -- DDI +64 4 922 8476 --+ +------------- Pager 64 +26 253 4356 +64 29 650 476 -- Cellular ---------+ +------------------------------------ ---- "Cold silence has a tendency to atrophy any sense of compassion" ----- --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Joe Abley

9:29 a.m.

On Thu, Aug 02, 2001 at 02:18:40PM +1200, Tim Shackleton wrote:

...

I haven't had any hits in the last few days... Got about 20 in the last round. Not a big deal really, for me at least.

I got about 20 today on my home box. CAIDA are losing all kinds of sleep trying to measure the impact, and are keeping their analysis posted at http://www.caida.org/analysis/security/code-red If it's slow, it's because they are having some issues keeping up with the volume of data they are measuring, according to some commentary I saw on nanog. Joe --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Mike Sutton [ awacs ]

9:30 a.m.

Goodmorning Network... ZOGs At 00:05:03 this morning I have started to receive intermittent CodeRed probes again... 9 in total. In the first pass by CodeRed I received

...

12,000 probes

I have now started running a packet analyser to capture the additional binary payload packets to see whether it has been mutated... Last night Symantec were saying the only way it would start again is if it was reinjected into the Network. According to Symantec (yesterday) the original version was coded to permanently hibernate - so if we are receiving probes again it must mean someone has put it back in the wild... If so it may be a different beast... I am looking for some commonality in the probes - last time a pseudo random variable of the TCP Header was the same in the majority of the probes I received from different IP addresses which led me to believe that this is in part delivered by IP spoofing - If this is the case we should be able to follow the MAC addresses back to a point of origin... Anyone here had experience with tracking down spoofed IP address attacks... I will work with you... Best regards Michael Sutton www.awacs.co.nz

...

-----Original Message----- From: owner-nznog(a)list.waikato.ac.nz [mailto:owner-nznog(a)list.waikato.ac.nz]On Behalf Of Neil Sent: Thursday, August 02, 2001 02:16 To: Thomas Salmen Cc: nznog(a)list.waikato.ac.nz Subject: Re: Code Red (Take Two)

I administer a few web server's (No IIS) for people, one that is in New Zealand has had 24 hit's since 3:20 this morning, one that is in the US has had 223 hit's. I have not had a good look at the Code Red worm but it seems to me that it is concentrating it's scans to known US address block's.

Neil Fincham Integral LTD

----- Original Message ----- From: "Thomas Salmen" To: Sent: Thursday, August 02, 2001 2:12 PM Subject: Code Red (Take Two)

...
Just curious... have many people been affected by the second

round of Code

...
Red infections? We have seen plenty of inbound traffic here (well, the odd bit, anyway) but very few of our customers web servers have been hit - not like last time...

Regards,

Thomas Salmen System Administrator

Radionet Ltd. 1/72 Paul Matthews Road Albany, Auckland, New Zealand Ph: +64 9 414 0300 ext 718

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Chris Rigby

9:58 a.m.

...

binary payload packets to see whether it has been mutated... Last night Symantec were saying the only way it would start again is if it was reinjected into the Network. According to Symantec (yesterday) the original version was coded to permanently hibernate - so if we are receiving probes again it must mean someone has put it back in the wild... If so it may be a different beast...

Check out some of the code red analysis sites. They showed that code red was still probing even during the "dormancy phase" from some servers that had their system clocks set wrong. (Thusly making code red thing it was still the 8th or whatever on those machines). They predicted that servers that were still hacked and had system times set wrong would re-inject the worm into the internet when the rest of the correctly set clocks clicked round to the 1st. It appears that this is what has happened.. There amy indeed be unkown mutated versions out there but as far as I know there is only crv1 crv2a and crv2b All this information can be seen in the Code Red FAQ at http://www.incidents.org/react/code_red.php Chris Rigby Senior Systems Engineer IHUG - Into the Internet --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Juha Saarinen

9:19 a.m.

On Thu, 2 Aug 2001, Thomas Salmen wrote:

...

Just curious... have many people been affected by the second round of Code Red infections? We have seen plenty of inbound traffic here (well, the odd bit, anyway) but very few of our customers web servers have been hit - not like last time...

9 hits on my home box... haven't checked IDG's yet. Regards, Juha --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Dan Langille

9:26 a.m.

I personally have received about 5 virus emails over the past 24 hours, most of them directed at nz.freebsd.org On 2 Aug 2001, at 14:12, Thomas Salmen wrote:

...

Just curious... have many people been affected by the second round of Code Red infections? We have seen plenty of inbound traffic here (well, the odd bit, anyway) but very few of our customers web servers have been hit - not like last time...

Regards,

Thomas Salmen System Administrator

Radionet Ltd. 1/72 Paul Matthews Road Albany, Auckland, New Zealand Ph: +64 9 414 0300 ext 718

--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

-- Dan Langille pgpkey - finger dan(a)unixathome.org | http://unixathome.org/finger.php --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Dan Langille

9:54 a.m.

On 1 Aug 2001, at 22:26, Dan Langille wrote:

...

I personally have received about 5 virus emails over the past 24 hours, most of them directed at nz.freebsd.org

OK, yes, I do know the difference between SirCam and Red Worm. I just reported the wrong one... Sorry. On my NZ based webserver, I've had 54 hits today. But on my Ottawa based server, I've had 39 hits in the past 23 hours. -- Dan Langille pgpkey - finger dan(a)unixathome.org | http://unixathome.org/finger.php --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

Chris Wedgwood

12:48 p.m.

On Thu, Aug 02, 2001 at 02:12:28PM +1200, Thomas Salmen wrote: Just curious... have many people been affected by the second round of Code Red infections? We have seen plenty of inbound traffic here (well, the odd bit, anyway) but very few of our customers web servers have been hit - not like last time... Nothing much, not like last time: [cw(a)www cw]$ tail -15000 access_log | grep "1/Aug/2001" | grep -ic default\.ida 12 NB, time is PST so there are several hours to go in Aug 1. --cw --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog

8544

Age (days ago)

8544

Last active (days ago)

List overview

Download

9 comments

9 participants

participants (9)

Chris Rigby
Chris Wedgwood
Dan Langille
Joe Abley
Juha Saarinen
Mike Sutton [ awacs ]
Neil
Thomas Salmen
Tim Shackleton

Code Red (Take Two)

Thomas Salmen

Neil

Tim Shackleton

Joe Abley

Mike Sutton [ awacs ]

Chris Rigby

Juha Saarinen

Dan Langille

Dan Langille

Chris Wedgwood

tags

participants (9)