[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: code red goes on

> -----Original Message-----
> From: Alan Shutko [mailto:ats@acm.org]
> Sent: Friday, August 03, 2001 11:18 PM
> To: debian-user@lists.debian.org
> Subject: Re: code red goes on
> "Karsten M. Self" <kmself@ix.netcom.com> writes:
> > Anyone noting trends between 7/20 and 8/2?  I've got 30 v. 49,
> > respectively.  Looks like this is actually the bigger attack.
> http://www.incidents.org says that we've already gotten more infected
> machines than July 20th, although probes seem to have leveled off.
> I've heard that this is a slight change on the original code red which
> seeds the RNG used to pick hosts to try, and it's thus hitting lots of
> hosts which weren't in the first round.

There has definately been a change in the original form of the attacks from
# GET /default.ida?NNNNN -snip- NN%u9090% -snip- 0%u00=a  HTTP/1.0
# GET /default.ida?XXXXX -snip- XX%u9090% -snip- 0%u00=a  HTTP/1.0
The second packet is also much shorter (with less X's), although the tail is
the same.

The increase in traffic over the last few days has been marked.

Sept  -	0 hits
1 Aug	-	3 hits	0.1 per hr
2 Aug - 	22 hits	0.9/hr
3 Aug - 	33 Hits	1.4/hr
4 Aug -	41 Hits	1.7/hr
5 Aug -	167 Hits	6.9/hr
6 Aug - 	79 Hits	10.0/hr (only 8 hrs of data)

I can see this is going to be a real problem in the upcoming weeks.

I have noticed on the end of each access in the log, Apache gives "404 205"
404 I guess means page not found, but on two occassions it looks like
it gave a "200 - ".  Strange.  I thought a valid access was 200.


Reply to: