Re: A watched pot never boils: The Return of Code Red
Thus said Sean Donelan on 01 Aug 2001 01:21:18 PDT:
Any updates from the field?
Today I saw an extremely high number of scans of port 80 being blocked at the firewall for seemingly random IPs within our /21 at work. I wasn't really certain whether it was a distributed attack using spoofed IPs or whether it was related to Code Red... I'm still seeing them even now (I hope this isn't inappropriate for this list): Aug 1 21:29:44 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 211.72.54.109:2162 216.250.133.18:80 L=48 S=0x00 I=16335 F=0x4000 T=111 SYN (#601) Aug 1 21:29:45 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 148.245.219.161:2328 216.250.132.139:80 L=48 S=0x00 I=21203 F=0x4000 T=116 SYN (#601) Aug 1 21:29:47 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 203.126.253.242:50221 216.250.135.40:80 L=48 S=0x00 I=24959 F=0x4000 T=106 SYN (#601) Aug 1 21:29:49 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 63.214.199.137:4107 216.250.134.32:80 L=48 S=0x00 I=2393 F=0x4000 T=114 SYN (#601) Aug 1 21:29:49 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 193.251.1.38:52206 216.250.130.33:80 L=48 S=0x00 I=20648 F=0x4000 T=101 SYN (#601) Aug 1 21:29:49 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 217.83.8.106:3030 216.250.130.163:80 L=48 S=0x00 I=64392 F=0x4000 T=109 SYN (#601) Aug 1 21:29:50 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 211.72.54.109:2162 216.250.133.18:80 L=48 S=0x00 I=18317 F=0x4000 T=111 SYN (#601) Aug 1 21:29:50 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 66.57.43.29:4461 216.250.130.89:80 L=64 S=0x00 I=4773 F=0x0000 T=112 SYN (#601) Aug 1 21:29:50 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 195.34.25.110:21213 216.250.128.7:80 L=48 S=0x00 I=39855 F=0x4000 T=112 SYN (#601) Aug 1 21:29:50 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 203.126.253.242:50221 216.250.135.40:80 L=48 S=0x00 I=25095 F=0x4000 T=106 SYN (#601) Aug 1 21:29:51 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 148.245.219.161:2328 216.250.132.139:80 L=48 S=0x00 I=21441 F=0x4000 T=116 SYN (#601) Aug 1 21:29:52 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 63.168.101.197:1147 216.250.133.251:80 L=48 S=0x00 I=63886 F=0x4000 T=114 SYN (#601) Aug 1 21:29:52 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 193.251.1.38:52206 216.250.130.33:80 L=48 S=0x00 I=20892 F=0x4000 T=101 SYN (#601) Aug 1 21:29:53 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 66.57.43.29:4461 216.250.130.89:80 L=64 S=0x00 I=4840 F=0x0000 T=112 SYN (#601) Aug 1 21:29:53 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 195.34.25.110:21213 216.250.128.7:80 L=48 S=0x00 I=40036 F=0x4000 T=112 SYN (#601) Aug 1 21:29:55 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 63.168.101.197:1147 216.250.133.251:80 L=48 S=0x00 I=63983 F=0x4000 T=114 SYN (#601) Aug 1 21:29:56 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 195.16.50.219:1363 216.250.134.218:80 L=48 S=0x00 I=23989 F=0x4000 T=114 SYN (#601) Aug 1 21:29:56 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 208.62.155.69:40665 216.250.134.69:80 L=48 S=0x00 I=43342 F=0x4000 T=116 SYN (#601) Aug 1 21:29:57 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 203.126.253.242:50221 216.250.135.40:80 L=48 S=0x00 I=25408 F=0x4000 T=106 SYN (#601) Aug 1 21:29:59 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 195.16.50.219:1363 216.250.134.218:80 L=48 S=0x00 I=24244 F=0x4000 T=114 SYN (#601) Aug 1 21:29:59 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 66.57.43.29:4461 216.250.130.89:80 L=64 S=0x00 I=4990 F=0x0000 T=112 SYN (#601) Aug 1 21:29:59 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 193.251.1.38:52206 216.250.130.33:80 L=48 S=0x00 I=21512 F=0x4000 T=101 SYN (#601) Aug 1 21:29:59 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 208.62.155.69:40665 216.250.134.69:80 L=48 S=0x00 I=45235 F=0x4000 T=116 SYN (#601) Andy -- GnuPG ID 0xA63888C9 (D2DA 68C9 BB2B 26B4 8204 2219 A43E F450 A638 88C9) [-----------[system uptime]--------------------------------------------] 9:30pm up 22 days, 20:09, 6 users, load average: 1.22, 1.16, 1.18
participants (1)
-
Andy Bradford