RE: code red goes on
> -----Original Message-----
> From: Alan Shutko [mailto:ats@acm.org]
> Sent: Friday, August 03, 2001 11:18 PM
> To: debian-user@lists.debian.org
> Subject: Re: code red goes on
>
>
> "Karsten M. Self" <kmself@ix.netcom.com> writes:
>
> > Anyone noting trends between 7/20 and 8/2? I've got 30 v. 49,
> > respectively. Looks like this is actually the bigger attack.
>
> http://www.incidents.org says that we've already gotten more infected
> machines than July 20th, although probes seem to have leveled off.
>
> I've heard that this is a slight change on the original code red which
> seeds the RNG used to pick hosts to try, and it's thus hitting lots of
> hosts which weren't in the first round.
>
There has definately been a change in the original form of the attacks from
# GET /default.ida?NNNNN -snip- NN%u9090% -snip- 0%u00=a HTTP/1.0
to
# GET /default.ida?XXXXX -snip- XX%u9090% -snip- 0%u00=a HTTP/1.0
The second packet is also much shorter (with less X's), although the tail is
the same.
The increase in traffic over the last few days has been marked.
Sept - 0 hits
1 Aug - 3 hits 0.1 per hr
2 Aug - 22 hits 0.9/hr
3 Aug - 33 Hits 1.4/hr
4 Aug - 41 Hits 1.7/hr
5 Aug - 167 Hits 6.9/hr
6 Aug - 79 Hits 10.0/hr (only 8 hrs of data)
I can see this is going to be a real problem in the upcoming weeks.
I have noticed on the end of each access in the log, Apache gives "404 205"
404 I guess means page not found, but on two occassions it looks like
it gave a "200 - ". Strange. I thought a valid access was 200.
Ian
Reply to: