I think this shouldgo here.. Mistype nanog.... Jim
-----Original Message----- From: Johannes Ullrich [mailto:jullrich@euclidian.com] Sent: Tuesday, March 18, 2003 1:10 PM To: McBurnett, Jim Cc: anog@merit.edu Subject: Re: Code red- Returning?
Yes. This month, we are tracking about twice as many sources as usual scanning port 80. The likely reason is the release of Code Red F earlier this month.
graph of port 80 activity for the last 2+months: ttp://www.dshield.org/port_report.php?port=80&days=70
In addition, there are some spikes in the number of targets scanned, which could be target list acquisitions for the next big thing (maybe the WebDav exploit).
AFAIK, the only difference for Code Red F is that it changed the 'cut off year' at which it will stop scanning. So it probably infected some machines that due to clock settings where not infected by the other versions. But I haven't had a chance to look at it in detail.
On Tue, 18 Mar 2003 12:50:17 -0500 "McBurnett, Jim" <jmcburnett@msmgmt.com> wrote:
Has anyone out there noticed an increase in a Code-Red patterned virus? I know about the Microsoft bug that came out yesterday/last night. But I am seeing the same symptoms as Code Red, 800+ hits in the last 12 hours, from the same Class A network I am on. The amount is increasing per hour.. It started with 50 the first hour and now it just about 150 an hour...
Thoughts?
thanks, Jim
-- -------------------------------------------------------------------- jullrich@euclidian.com Collaborative Intrusion Detection join http://www.dshield.org