My little Class C seems to be getting 3-6 attempts per second to connect to Port 80 on various IPs at the present time. Is this about average? -=[L]=-
Hello Lou, Its more than what I am getting. Never the less since this started again im seeing alot more attempts than in July. Michael... On Sat, 4 Aug 2001, Lou Katz wrote:
My little Class C seems to be getting 3-6 attempts per second to connect to Port 80 on various IPs at the present time. Is this about average?
-=[L]=-
Yes, it's true, I fixed the attribution. Young whippersnappers! michael@aplatform.com wrote:
On Sat, 4 Aug 2001, Lou Katz wrote:
My little Class C seems to be getting 3-6 attempts per second to connect to Port 80 on various IPs at the present time. Is this about average?
Its more than what I am getting. Never the less since this started again im seeing alot more attempts than in July.
I see about 300% more attempts than in July, but close to one-third of those do not appear to be code red. They seem to be what I would have suspected. People trying to mask attempts under the noise of code red. Nonetheless, it is getting annoying enough that I am close to moving all the windoze machines off to a private switched network until this is over. No, I'm not afraid of them being compromised, but some of them do seem to be getting hit harder than the rest of my computers. What I don't understand is why my openbsd laptop attracts so much attention. Uname -a shows OpenBSD scorpion 2.6 GENERIC#696 i386, hardly an attractive target for code red in my book. No, it's not running a web server. The only service it actually offers is sshd. At first it was interesting, then annoying, now it's just boring. Most of the non-code red attempts I see are from apnic, for what that's worth. -- You've confused equality of opportunity for equality of outcomes, and have seriously confused justice with equality. -- Woodchuck
Hello Etaoin, On Sat, 4 Aug 2001, Etaoin Shrdlu wrote:
Yes, it's true, I fixed the attribution. Young whippersnappers!
michael@aplatform.com wrote:
On Sat, 4 Aug 2001, Lou Katz wrote:
My little Class C seems to be getting 3-6 attempts per second to connect to Port 80 on various IPs at the present time. Is this about average?
Its more than what I am getting. Never the less since this started again im seeing alot more attempts than in July.
I see about 300% more attempts than in July, but close to one-third of those do not appear to be code red. They seem to be what I would have suspected. People trying to mask attempts under the noise of code red. Nonetheless, it is getting annoying enough that I am close to moving all the windoze machines off to a private switched network until this is over.
I can see they are "valid" CR attempts..
No, I'm not afraid of them being compromised, but some of them do seem to be getting hit harder than the rest of my computers. What I don't understand is why my openbsd laptop attracts so much attention.
Uname -a shows OpenBSD scorpion 2.6 GENERIC#696 i386, hardly an attractive target for code red in my book. No, it's not running a web server. The only service it actually offers is sshd.
At first it was interesting, then annoying, now it's just boring. Most of the non-code red attempts I see are from apnic, for what that's worth.
-- You've confused equality of opportunity for equality of outcomes, and have seriously confused justice with equality. -- Woodchuck
I also noticed requests that use "XXXXXXXXX" instead of "NNNNNNNNNN". In fact I see more X's than N's as of this morning. Grisha On Sat, 4 Aug 2001, Lou Katz wrote:
My little Class C seems to be getting 3-6 attempts per second to connect to Port 80 on various IPs at the present time. Is this about average?
-=[L]=-
Hello, Very interesting. Im seeing the NNNNNNNNNNNNNNNNNNNN's as it was in July. Michael... On Sat, 4 Aug 2001, Gregory (Grisha) Trubetskoy wrote:
I also noticed requests that use "XXXXXXXXX" instead of "NNNNNNNNNN". In fact I see more X's than N's as of this morning.
Grisha
On Sat, 4 Aug 2001, Lou Katz wrote:
My little Class C seems to be getting 3-6 attempts per second to connect to Port 80 on various IPs at the present time. Is this about average?
-=[L]=-
N's versus X's on a server with a block of 5 IP's as of August 1, 4AM EDT: 4:53:42pm|melange@host:/home/melange> grep default.ida /var/log/httpd-access.log | grep NNNNN|wc -l 436 4:53:48pm|melange@host:/home/melange> grep default.ida /var/log/httpd-access.log | grep XXXXX | wc -l 6 On Sat, 4 Aug 2001 michael@aplatform.com wrote:
Hello,
Very interesting. Im seeing the NNNNNNNNNNNNNNNNNNNN's as it was in July.
Michael...
On Sat, 4 Aug 2001, Gregory (Grisha) Trubetskoy wrote:
I also noticed requests that use "XXXXXXXXX" instead of "NNNNNNNNNN". In fact I see more X's than N's as of this morning.
Grisha
On Sat, 4 Aug 2001, Lou Katz wrote:
My little Class C seems to be getting 3-6 attempts per second to connect to Port 80 on various IPs at the present time. Is this about average?
-=[L]=-
-- Bob <melange@yip.org> | Yes. I know. That is, indeed, *not* mayonnaise.
Bob, I guess they will get around to me as I dont show any XXX. Only a hundred or so NNNN. Michael... On Sat, 4 Aug 2001, Bob K wrote:
N's versus X's on a server with a block of 5 IP's as of August 1, 4AM EDT:
4:53:42pm|melange@host:/home/melange> grep default.ida /var/log/httpd-access.log | grep NNNNN|wc -l 436 4:53:48pm|melange@host:/home/melange> grep default.ida /var/log/httpd-access.log | grep XXXXX | wc -l 6
On Sat, 4 Aug 2001 michael@aplatform.com wrote:
Hello,
Very interesting. Im seeing the NNNNNNNNNNNNNNNNNNNN's as it was in July.
Michael...
On Sat, 4 Aug 2001, Gregory (Grisha) Trubetskoy wrote:
I also noticed requests that use "XXXXXXXXX" instead of "NNNNNNNNNN". In fact I see more X's than N's as of this morning.
Grisha
On Sat, 4 Aug 2001, Lou Katz wrote:
My little Class C seems to be getting 3-6 attempts per second to connect to Port 80 on various IPs at the present time. Is this about average?
-=[L]=-
-- Bob <melange@yip.org> | Yes. I know. That is, indeed, *not* mayonnaise.
On Sat, 4 Aug 2001, Bob K wrote:
N's versus X's on a server with a block of 5 IP's as of August 1, 4AM EDT:
4:53:42pm|melange@host:/home/melange> grep default.ida /var/log/httpd-access.log | grep NNNNN|wc -l 436 4:53:48pm|melange@host:/home/melange> grep default.ida /var/log/httpd-access.log | grep XXXXX | wc -l 6
I've started seeing LOTS of XXXXX hits as of approx 1 hour ago. 5 in one hour and counting...
On Sat, 4 Aug 2001, Av wrote:
4:53:48pm|melange@host:/home/melange> grep default.ida /var/log/httpd-access.log | grep XXXXX | wc -l 6
I've started seeing LOTS of XXXXX hits as of approx 1 hour ago. 5 in one hour and counting...
Just for reference, here's the logs of this new variant: 211.194.55.233 - - [04/Aug/2001:11:52:42 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 281 "-" "-" 213.57.146.75 - - [04/Aug/2001:14:38:06 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 282 "-" "-" 202.110.201.18 - - [04/Aug/2001:14:46:37 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 273 "-" "-" 200.203.173.193 - - [04/Aug/2001:15:25:40 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 276 "-" "-" user-v3qslgs.biz.mindspring.com - - [04/Aug/2001:15:40:06 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 276 "-" "-" 202.106.106.190 - - [04/Aug/2001:15:57:10 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 735 "-" "-" Note that the earliest one hit at 11:52 today... -- Bob <melange@yip.org> | Yes. I know. That is, indeed, *not* mayonnaise.
Le (On) Sat, Aug 04, 2001 at 05:14:09PM -0400, Bob K ecrivit (wrote):
4:53:48pm|melange@host:/home/melange> grep default.ida /var/log/httpd-access.log | grep XXXXX | wc -l 6
I've started seeing LOTS of XXXXX hits as of approx 1 hour ago. 5 in one hour and counting...
Just for reference, here's the logs of this new variant:
Pretty interesting, maybe all nanog-post subscribers could share their experience with this worm too. Especially if you've seen a lot of non-[XN] alphanumerical chars. Sorry, but this worm caused more damages to mailing lists than anything else, on the Internet. Looks more like a chain-letter...
Speaking of sharing experiances it is beating the crap out of our unix servers we install aplicatino firewalls on all the NT machines and there were patched anyway before the last one hit. But all the requestes to the port 80 is taking down the webserver and affecting the machine because of access logs. bummer. :( On Saturday 04 August 2001 16:24, you wrote:
Le (On) Sat, Aug 04, 2001 at 05:14:09PM -0400, Bob K ecrivit (wrote):
4:53:48pm|melange@host:/home/melange> grep default.ida /var/log/httpd-access.log | grep XXXXX | wc -l 6
I've started seeing LOTS of XXXXX hits as of approx 1 hour ago. 5 in one hour and counting...
Just for reference, here's the logs of this new variant:
Pretty interesting, maybe all nanog-post subscribers could share their experience with this worm too. Especially if you've seen a lot of non-[XN] alphanumerical chars.
Sorry, but this worm caused more damages to mailing lists than anything else, on the Internet. Looks more like a chain-letter...
-- Advanced Hosting UNIX Admin | Daniel Fairchild danielf@supportteam.net To rate my service or provide feedback, please visit the following URL: http://www.supportteam.net/rate.php3 Unix is like a wigwam -- no Gates, no Windows, and an Apache inside.
Yup Im seeing the XXXX's now. :(( Another round?? Michael... On Sat, 4 Aug 2001, Advanced Hosting UNIX Admin Daniel Fairchild wrote:
Speaking of sharing experiances it is beating the crap out of our unix servers we install aplicatino firewalls on all the NT machines and there were patched anyway before the last one hit. But all the requestes to the port 80 is taking down the webserver and affecting the machine because of access logs.
bummer. :(
On Saturday 04 August 2001 16:24, you wrote:
Le (On) Sat, Aug 04, 2001 at 05:14:09PM -0400, Bob K ecrivit (wrote):
4:53:48pm|melange@host:/home/melange> grep default.ida /var/log/httpd-access.log | grep XXXXX | wc -l 6
I've started seeing LOTS of XXXXX hits as of approx 1 hour ago. 5 in one hour and counting...
Just for reference, here's the logs of this new variant:
Pretty interesting, maybe all nanog-post subscribers could share their experience with this worm too. Especially if you've seen a lot of non-[XN] alphanumerical chars.
Sorry, but this worm caused more damages to mailing lists than anything else, on the Internet. Looks more like a chain-letter...
-- Advanced Hosting UNIX Admin | Daniel Fairchild danielf@supportteam.net To rate my service or provide feedback, please visit the following URL: http://www.supportteam.net/rate.php3
Unix is like a wigwam -- no Gates, no Windows, and an Apache inside.
Sameh Ghane wrote:
Sorry, but this worm caused more damages to mailing lists than anything else, on the Internet. Looks more like a chain-letter...
Dunno why you would think this was other than operational. As a small provider serving almost entirely dial-up, we still have enough of this to swamp almost entirely all of our outbound links. And as soon as we kill them, they pop up on another IP. The support costs are going to hurt, bad. Inbound isn't too bad, I guess CEF and WFQ works to protect individual machines from overload at T1 rates. We won't have much of an attack problem on our own machines, as we are a Macintosh/Linux/OpenBSD shop. We have only 2 Windows machines to train tech support.... Meanwhile, the SirCam worm is eating disk space, and we have folks calling because it takes too long to download their mail, or the POP session fails entirely (another M$ problem with large messages). The support costs are hurting on this, too. It seems to me that somebody needs to write a version of Code Red that wipes all .exe and .dll in the windows directory, forcing an update of both windows and office. Anybody game? -- William Allen Simpson Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
On Sat, 4 Aug 2001, Bob K wrote:
N's versus X's on a server with a block of 5 IP's as of August 1, 4AM EDT:
4:53:42pm|melange@host:/home/melange> grep default.ida /var/log/httpd-access.log | grep NNNNN|wc -l 436 4:53:48pm|melange@host:/home/melange> grep default.ida /var/log/httpd-access.log | grep XXXXX | wc -l 6
Checking back the first XXXX one I saw was about 9 hours ago, since then the number of XXXX and NNNN accesses has been about even. Actually checking other logs I would say XXX accesses are the majority (over 80%) in the last 4 or 5 hours. I would guess a better version, perhaps it deletes the old Code Red copy when it infects a machine which enables it to grow so fast. -- Simon Lyall. | Newsmaster | Work: simon.lyall@ihug.co.nz Senior Network/System Admin | Postmaster | Home: simon@darkmere.gen.nz ihug, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz
On Sat, 4 Aug 2001, Gregory (Grisha) Trubetskoy wrote:
I also noticed requests that use "XXXXXXXXX" instead of "NNNNNNNNNN". In fact I see more X's than N's as of this morning.
I've got 18 with XXXXX's and 38 with NNNNNNN's, and that was with my web server down for part of the day. Regards, -- Joseph W. Shaw II Network Security Specialist/CCNA Unemployed. Will hack for food. God Bless. Apparently I'm overqualified but undereducated to be employed.
participants (11)
-
Advanced Hosting UNIX Admin Daniel Fairchild -
Av -
Bob K -
Etaoin Shrdlu -
Gregory (Grisha) Trubetskoy -
Joe Shaw -
Lou Katz -
michael@aplatform.com -
Sameh Ghane -
Simon Lyall -
William Allen Simpson