OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Michael Tucker (mtuckerenergygraphics.com)
Date: Thu Aug 02 2001 - 15:40:23 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I offer three theoretical explanations for the observed increase in bogus
    activity:

    1) The original attackers (or some copycats inspired by them), seeing the
    success of Code Red, are pressing the attack using a variety of methods.

    2) All this media hype has inspired every bored kid who's still on summer
    break to see what they can hack into before they have to go back to school.

    3) We (sysadmins) are being much more observant than usual, due to our
    concerns about Code Red. The paradox of Schrodinger's Cat applies: (our
    perception of) the data has been affected by our observation.

    I'm voting for 4) All the above. :-)

    Yours,
    Michael
    -----
    Michael C. Tucker | Java Developer
    Energy Graphics, Inc. | Software Engineer
    mtuckerenergygraphics.com | Sun Certified System Engineer

    It's the action, not the fruit of the action that's important. You have
    to do the right thing... You may never know what results come from your
    action. But if you do nothing, there will be no result. (Gandhi)

    > -----Original Message-----
    > From: Paul Gear [mailto:paulgearbigfoot.com]
    > Sent: Thursday, August 02, 2001 9:01 AM
    > To: SecurityFocus Incidents List
    > Subject: Re: Code red probe followed by udp port 10x
    >
    >
    > I've seen quite a few similar probes, but always on 1025. Previously
    > i have found information that suggests that this is a Windows NT RPC
    > service.
    >
    > My log entries look like this:
    > Aug 1 16:23:13 ### kernel: Packet log: input DENY ppp0 PROTO=17
    > 65.4.247.60:1158 ###:1025 L=37 S=0x00 I=21911 F=0x0000 T=116 (#66)
    >
    > I've only ever had one such probe before, but yesterday i got around
    > 20 total, from diverse networks (home.com, kornet.net, hinet.net,
    > chinanet.cn.net, etc.).
    >
    > However, i can't see any direct correlation with Code Red - i got 56
    > probes from Code Red on 20 July, then nothing until today (2 August,
    > GMT+1000 timezone) - 24 of them so far. Is someone perhaps trying to
    > hide some other probe activity in Code Red's traffic?
    >
    > Paul
    > http://paulgear.webhop.net
    >

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com