Re: code red goes on

To: "Karsten M. Self" <kmself@ix.netcom.com>
Cc: debian-user@lists.debian.org
Subject: Re: code red goes on
From: John Griffiths <john@capmon.com>
Date: Fri, 03 Aug 2001 15:54:21 +0000
Message-id: <[🔎] 3.0.5.32.20010803155421.039615f0@mailhost.capmon.com>
In-reply-to: <[🔎] 20010802224502.F6512@navel.introspect>
References: <[🔎] 002001c11bdb$62258b60$127509d2@inertia.com.au> <[🔎] 3.0.5.32.20010803145401.03969620@mailhost.capmon.com> <[🔎] 002001c11bdb$62258b60$127509d2@inertia.com.au>

>> >
>> >
>> > if you grep your http access log for "default.ida" (good sign
>> > of a code red attempt on an apache box)
>> >
>> > you'll see that code red has infected as many new machines in
>> > the alst two days as it did on 20 July
>
>> I have had 47 in the last 24 hrs.
>
>Please use follow-up response.
>
>Anyone noting trends between 7/20 and 8/2?  I've got 30 v. 49,
>respectively.  Looks like this is actually the bigger attack.
>

actually i ran http-analyze over a file i grepped out of the log

the bug only ran for a few hours in "propogate mode" on the 20th before switching to "attack mode" and went back to propogate 2 days ago (and because propogate is less damaging everyone thought it was gone)

and yes a quick look at the graph will tell you it's building into something much bigger than before

Reply to:

References:
- RE: code red goes on
  - From: "Ian Perry" <iperry@inertia.com.au>
- code red goes on
  - From: John Griffiths <john@capmon.com>
- Re: code red goes on
  - From: "Karsten M. Self" <kmself@ix.netcom.com>

Prev by Date: Re: code red goes on
Next by Date: Re: Root on RAID
Previous by thread: Re: code red goes on
Next by thread: Re: code red goes on
Index(es):
- Date
- Thread