Re: [iwar] Code red variants in increasing numbers

• Next message: Robert W. Miller: "[iwar] FW: [TOOL] SnortSperm, a DCShop Order and Account Scanner"
• Previous message: Fred Cohen: "[iwar] Attribution of code red"
• In reply to: Fred Cohen: "[iwar] Code red variants in increasing numbers"
• Next in thread: Gary Warner: "Re: [iwar] Code red variants in increasing numbers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Return-Path: <jheard@bey.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Sun, 05 Aug 2001 09:49:16 -0700 (PDT)
Received: (qmail 18251 invoked by uid 510); 5 Aug 2001 15:50:05 -0000
Received: from beyondengineering.com (HELO s1.beyondengineering.com) (216.96.107.1) by 204.181.12.215 with SMTP; 5 Aug 2001 15:50:05 -0000
Received: from bob.bey.com (beyondengineering.com [216.96.107.1]) by s1.beyondengineering.com (8.11.0/8.8.7) with ESMTP id f75H0Pi01068 for <fc@all.net>; Sun, 5 Aug 2001 11:00:25 -0600
X-Mailer: Beyond Engineering
Message-Id: <5.1.0.14.2.20010805113543.00a754d0@bey.com>
X-Sender: jheard@bey.com
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Sun, 05 Aug 2001 11:39:02 -0500
To: fc@all.net
From: John Heard <jheard@bey.com>
Subject: Re: [iwar] Code red variants in increasing numbers
In-Reply-To: <200108050351.UAA01258@big.all.net>
Content-Type: text/plain; charset="us-ascii"; format=flowed

I can confirm this across the board, we're seeing the same thing and we've 
had to start reprogramming our monitoring systems as these hits have 
started to overload them for requests for default.ida. I've got a feeling 
this is going to get worse, there really needs to be a system in place 
somewhere like that is used for spam to notify networks which machines on 
their networks are infected so they can disconnect them till they remove 
the virus. It takes a lot of time to manually try and track down each of 
these and notify a sys admin.

Best regards,

John Heard

___________________________________________
B  e  y  o  n  d    E  n  g  i  n  e  e  r  i  n  g
a division of CJ Group Inc.
Home of IP-Delivery.com and WordSpot.com
mailto:jheard@bey.com - http://www.bey.com
620.496.2682 voice - 620.496.2020 fax
1007 US Highway 54 West -   La Harpe, KS  66751  US



At 08:51 PM 8/4/01 -0700, you wrote:
>Looks like there are more Code Red variants on the way...  One with Xs,
>in the overrun sequence, one with Os in the overrun sequence.  They seem
>to be running at a higher rate and through cable modem and DSL IP
>addresses for now.  To get a sense, on random IP addresses, I am now
>getting red code requests at a rate of one every few minutes -
>sustained...
>
>This issue is not anywhere near dead yet as far as I can tell...
>
>FC
>--This communication is confidential to the parties it is intended to serve--
>Fred Cohen              Fred Cohen & Associates.........tel/fax:925-454-0171
>fc@all.net              The University of New Haven.....http://www.unhca.com/
>http://all.net/         Sandia National Laboratories....tel:925-294-2087
>
>------------------------ Yahoo! Groups Sponsor ---------------------~-->
>Small business owners...
>Tell us what you think!
>http://us.click.yahoo.com/vO1FAB/txzCAA/ySSFAA/kgFolB/TM
>---------------------------------------------------------------------~->
>
>------------------
>http://all.net/
>
>Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

• Next message: Robert W. Miller: "[iwar] FW: [TOOL] SnortSperm, a DCShop Order and Account Scanner"
• Previous message: Fred Cohen: "[iwar] Attribution of code red"
• In reply to: Fred Cohen: "[iwar] Code red variants in increasing numbers"
• Next in thread: Gary Warner: "Re: [iwar] Code red variants in increasing numbers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.2 : 2001-09-29 21:08:39 PDT