Code Red

Dave Stewart wrote:

>Reports from our monitoring systems saw the CPU usage jump by somewhere
>between 150-200% for our core routers today; our current theory is that

Web servers that were hit beginning this morning at 11:26:41 EDT have not
seen another attempt since 19:49:53.

I'm wondering if this because it was coming up on 00:00:00 GMT 20-July-2001.

According to the PC-Cillin write up, the 100-thread scan only takes place
if the system date is less than 20, but if it's 20-28, it launches it's DOS
attack at

Does anybody really know yet what payloads this thing is carrying?

That would roughly correspond with the dropoff in CPU usage, here. Not
proof, but... reasonably strong circumstantial. I guess we'll see for
sure tomorrow, depending on how the traffic stats look.