Security Incidents mailing list archives

RE: Code Red, anyone?

From: "Coen Bongers" <CoB () Kikke Net>
Date: Wed, 1 Aug 2001 12:56:43 +0200

Hi all,

I'm starting to see the first infection attempts to systems on the cable
modem netblock on my snort IDS at home.

(Funny, I can see all the traffic in mij neighbourhood on my cable modem
connection, is that normal?)  ;-)

Some relative info:

Snort 1.7 with standard rules, and the CodeRed additional rules.

                                                                                Source          Dest
#0-(6-107)  CodeRed Defacement 2001-08-01 09:44:58  211.205.83.13:2008
212.xxx.xxx.xxx:80  TCP
#1-(6-131)  CodeRed Defacement 2001-08-01 11:17:50  211.41.180.163:2566
212.xxx.xxx.yyy:80  TCP

Time is in GMT +1 and as far I can tell are the sources two closely related
Korean hosts
And a quick scan with the eEye CodeRed scanner (Thank you quys!!) is telling
me that both servers are to be considered vulnerable.

Is it starting, or am I just (un)lucky to see a couple???

take care,

Coen Bongers
Senior Network Engineer

Mobiel: 06-2001 7443
E-mail: CoB () Kikke net


-----Original Message-----
From: Alfred Huger [mailto:ah () securityfocus com]
Sent: woensdag 1 augustus 2001 3:31
To: incidents () securityfocus com
Subject: Code Red, anyone?




I realize that most of you have taken shelter and are awaiting the
impending demise of the Internet s we know it. However for those of you
stalwart bastions of courage who are still manning the ship in the face of
this clear and present danger, I have a question. Anyone seeing Code Red
activity yet?

I just took a poll through our sensors in ARIS and see almost no activity
at least none worth commenting on. Anyone else?


VP Engineering
SecurityFocus.com
"Vae Victis"


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Code Red, anyone? Alfred Huger (Jul 31)
- Code Red, anyone? Russell Fulton (Jul 31)
- Re: Code Red, anyone? Glenn Forbes Fleming Larratt (Jul 31)
  - Re: Code Red, anyone? Michael Sullenszino (Aug 01)
- Re: Code Red, anyone? S. Staniford (Jul 31)
- Re: Code Red, anyone? Joseph Nicholas Yarbrough (Aug 01)
- Re: Code Red, anyone? thomas lakofski (Aug 01)
- RE: Code Red, anyone? Coen Bongers (Aug 01)
- Re: Code Red, anyone? Ryan Russell (Aug 01)
  - Re: Code Red, anyone? Kman (Aug 01)
- <Possible follow-ups>
- Re: Code Red, anyone? Ken Eichman (Aug 01)
  - unsubscribe me please Christophe Bernigaud (Aug 01)
- RE: Code Red, anyone? Information Security (Aug 01)
  - RE: Code Red, anyone? Chip McClure (Aug 01)
- RE: Code Red, anyone? Jürgen Nieveler (Aug 01)
  - Re: Code Red, anyone? Seth Arnold (Aug 01)
- Re: Code Red, anyone? Pat Wilson (Aug 01)
  - Re: Code Red, anyone? jan (Aug 01)

(Thread continues...)