RE: .ida Intrusion Attempt

From: Keith.Morgan (Keith.Morgan_at_Terradon.com)
Date: 07/19/01

• Vorherige Nachricht: corecode: "Re: Full analysis of the .ida "Code Red" worm."
• Nächste im Thread: Tulchinskiy, Sasha: "RE: .ida Intrusion Attempt"
• Antwort: Tulchinskiy, Sasha: "RE: .ida Intrusion Attempt"
• Antwort: Yom, Francis: "RE: .ida Intrusion Attempt"
• Antwort: Colby Rice: "RE: .ida Intrusion Attempt"
• Nachrichten sortiert nach: [ Datum ] [ Thread ] [ Subject ] [ Autor ] [ Attachement ]

---

We are seeing the probes being directed to *any* server, at random,
regardless of thier DNS name. A side note, we've seen a 2000% increase in
the past four hours of probes for the IDA vulnerability. All of them that I
have investigated have had identical signatures, and appear to be actions of
the "code red" worm.

> -----Original Message-----
> From: Colby Rice [mailto:crice_at_180096hotel.com]
> Sent: Thursday, July 19, 2001 1:29 PM
> Cc: incidents_at_securityfocus.com; focus-ids_at_securityfocus.com
> Subject: RE: .ida Intrusion Attempt
>
>
> Has anyone else noticed that it is only hitting www. servers? or am I
> just lucky? I am getting many many attempts but ONLY on my
> www.<whatever> servers I DO have servers with port 80 open to the
> outside world that ARE NOT getting hit. from everything I have read on
> this worm it is picking its IP's at random and if that is the
> case then
> I should have been hit on something OTHER then these (few) www.
> servers..
>
> (or am I missing something?)
>
> CR
>

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

http://aris.securityfocus.com

---

• Vorherige Nachricht: corecode: "Re: Full analysis of the .ida "Code Red" worm."
• Nächste im Thread: Tulchinskiy, Sasha: "RE: .ida Intrusion Attempt"
• Antwort: Tulchinskiy, Sasha: "RE: .ida Intrusion Attempt"
• Antwort: Yom, Francis: "RE: .ida Intrusion Attempt"
• Antwort: Colby Rice: "RE: .ida Intrusion Attempt"
• Nachrichten sortiert nach: [ Datum ] [ Thread ] [ Subject ] [ Autor ] [ Attachement ]

---

Relevant Pages Re: CNN: Yes, weve got trouble -- right here in Cyber City ... > Didn't affect one of the 30 Win2k machines I'm responsible for, ... 2K3 servers aren't vulnerable to it, ... > Win2k and WinME boxes at home didn't get hit either. ... by Microsoft on Aug. 9th, and exactly one week later, we have a worm ... (soc.motss) RE: .ida Intrusion Attempt ... Subject: .ida Intrusion Attempt ... I think the reason for this is that the Worm just does an connect to ... the you just get hit on your www. ... Has anyone else noticed that it is only hitting www. servers? ... (Incidents) RE: .ida Intrusion Attempt ... Subject: .ida Intrusion Attempt ... I think the reason for this is that the Worm just does an connect to ... the you just get hit on your www. ... Has anyone else noticed that it is only hitting www. servers? ... (Focus-IDS) RE: .ida Intrusion Attempt ... Subject: .ida Intrusion Attempt ... I think the reason for this is that the Worm just does an connect to ... the you just get hit on your www. ... Has anyone else noticed that it is only hitting www. servers? ... (Focus-IDS) Re: AOL Servers Probing ??? ... > often on Port 80 and it is not just Servers and Proxies but AOL Users ... As for the probes from name servers; ... (microsoft.public.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > incidents  > 2001-07