Re: Code Red Worm ?

To: debian-security@lists.debian.org
Subject: Re: Code Red Worm ?
From: Philippe Marzouk <pmarzouk@wanadoo.fr>
Date: Sat, 21 Jul 2001 11:06:18 +0200
Message-id: <[🔎] 20010721110618.A3034@orelye.maison>
In-reply-to: <[🔎] 20010721165614.A906@polaroids.org>; from catalyst@polaroids.org on sam, jui 21, 2001 at 10:56:14 +0200
References: <[🔎] 20010721165614.A906@polaroids.org>

Le sam, 21 jui 2001 10:56:14, catalyst a écrit :
> Hi,
> 
> I'm running iptables and for the past 3 days i been hit by a multiple IP
> adds on my firewall.I wonder is it from those infected IIS with red worm
> ?
> Here is the log i'm getting from my /var/log/messages.
> 
> Jul 21 16:48:04 uniX kernel: Firewall:IN=eth0 OUT=
> MAC=00:50:da:91:ba:a8:00:30:94:9c:6e:8c:08:00 SRC=192.108.114.142
> DST=202.156.176.20 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=47947 DF
> PROTO=TCP SPT=1794 DPT=6346 WINDOW=16384 RES=0x00 SYN URGP=0 

6346 is the gnutella port.
If you have used it, your IP is kept in some cache and others try to
connect to you for some time.

Philippe

Reply to:

References:
- Code Red Worm ?
  - From: catalyst <catalyst@polaroids.org>

Prev by Date: Code Red Worm ?
Next by Date: Re: red worm amusement - redirect
Previous by thread: Code Red Worm ?
Next by thread: about sniffing
Index(es):
- Date
- Thread