Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: .ida Intrusion Attempt

From: "Keith.Morgan" <Keith.Morgan () Terradon com>
Date: Thu, 19 Jul 2001 13:58:25 -0400
We are seeing the probes being directed to *any* server, at random,
regardless of thier DNS name.  A side note, we've seen a 2000% increase in
the past four hours of probes for the IDA vulnerability.  All of them that I
have investigated have had identical signatures, and appear to be actions of
the "code red" worm.



-----Original Message-----
From: Colby Rice [mailto:crice () 180096hotel com]
Sent: Thursday, July 19, 2001 1:29 PM
Cc: incidents () securityfocus com; focus-ids () securityfocus com
Subject: RE: .ida Intrusion Attempt


Has anyone else noticed that it is only hitting www. servers? or am I
just lucky? I am getting many many attempts but ONLY on my
www.<whatever> servers I DO have servers with port 80 open to the
outside world that ARE NOT getting hit. from everything I have read on
this worm it is picking its IP's at random and if that is the 
case then
I should have been hit on something OTHER then these (few) www.
servers.. 

(or am I missing something?)

              CR




----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: