RE: code red goes on
On Mon, 6 Aug 2001, Ian Perry wrote:
>
>
>> -----Original Message-----
>> From: Alan Shutko [mailto:ats@acm.org]
>> Sent: Friday, August 03, 2001 11:18 PM
>> To: debian-user@lists.debian.org
>> Subject: Re: code red goes on
>>
>>
>> "Karsten M. Self" <kmself@ix.netcom.com> writes:
>>
>> > Anyone noting trends between 7/20 and 8/2? I've got 30 v. 49,
>> > respectively. Looks like this is actually the bigger attack.
>>
>> http://www.incidents.org says that we've already gotten more infected
>> machines than July 20th, although probes seem to have leveled off.
>>
>> I've heard that this is a slight change on the original code red which
>> seeds the RNG used to pick hosts to try, and it's thus hitting lots of
>> hosts which weren't in the first round.
>>
>
>There has definately been a change in the original form of the attacks from
># GET /default.ida?NNNNN -snip- NN%u9090% -snip- 0%u00=a HTTP/1.0
normal CodeRed
>to
># GET /default.ida?XXXXX -snip- XX%u9090% -snip- 0%u00=a HTTP/1.0
CodeRed2. Nastier: it also copies cmd.exe to root.exe, and installs a
pseudo-r00tkit. If the IIS admins didn't learn the first time, they got
screwed hardcore the second. Not even a reacharound this time.
>The second packet is also much shorter (with less X's), although the tail is
>the same.
>
>The increase in traffic over the last few days has been marked.
>
>Sept - 0 hits
>1 Aug - 3 hits 0.1 per hr
>2 Aug - 22 hits 0.9/hr
>3 Aug - 33 Hits 1.4/hr
>4 Aug - 41 Hits 1.7/hr
>5 Aug - 167 Hits 6.9/hr
>6 Aug - 79 Hits 10.0/hr (only 8 hrs of data)
>
>I can see this is going to be a real problem in the upcoming weeks.
>
>I have noticed on the end of each access in the log, Apache gives "404 205"
>404 I guess means page not found, but on two occassions it looks like
>it gave a "200 - ". Strange. I thought a valid access was 200.
>
>Ian
>
>
>
>
>
>
>
--
Sacred cows make the best burgers
Who is John Galt? galt@inconnu.isu.edu, that's who!!!
Reply to: