OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Russell Fulton (r.fultonauckland.ac.nz)
Date: Tue Nov 13 2001 - 16:17:20 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Tue, 13 Nov 2001 11:03:12 -0600 (CST) Neil Dickey
    <neilgeol.niu.edu> wrote:
    >
    > By they way, I noticed yesterday that someone seems to be trying to
    > get CodeRed1 going again.

    Code Red never went a way, it just sleeps on the 19th (or 20th ?)of the
    month and reawakes on the 1st. Since it is cleared by rebooting then
    many infections die off over the ten days. I have been watching this
    for the last few months. It is usually about the 10th that snort picks
    up the first .ida attack and then for the next 10 days the rate slowly
    increase until by now I am seeing 2 or 3 an hour. (We have a /16
    address block and host lots of web servers).

    The population of unpatched machines is now sparse enough that it takes
    many days to reach saturation.

    Others in this thread have bemoaned the fact that many reports of
    infection go unheaded. I agree that many do but I believe that it is
    still worthwhile reporting incidents particularly if they are coming
    from responsible organisations. Our network address block is in
    130.0.0.0/8 and so we see many scans from other addresses in this /8
    which tends to be populated by large universities and corporations. I
    have been diligently reporting all machine in the /8 over the last
    couple months and on most day there are now only 3 or 4 machines (often
    at one site) scanning us from 130/8. Many other /8 blocks have upward
    of 40 or 50 machines.

    Machines in 130/8 typically scan us at the rate of between 100 and 200
    probes per hour those in other /8s at a rate of < 10 per hour. This is
    because of the bias to scan inside one's own /24 and /16. What puzzels
    me however is that we see to the odd machine in some unrelated /8
    probing at very high rates (well over 100 per hour). On at least one
    ocassion I verified (from the IDS) that the machine was attempting
    Nimda style attacks on any web server it found. Very strange.

    Russell Fulton, Computer and Network Security Officer
    The University of Auckland, New Zealand

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com