Security Incidents mailing list archives
RE: CodeRed Observations. ## Christine_Kronberg () genua de
From: root <root () ns1 transurban com au>
Date: Tue, 18 Mar 2003 15:12:16 +1100
Christine_Kronberg () genua de Subject: RE: CodeRed Observations. In-Reply-To: <9A01501BF79D864D95402AF6FBEE33D902928C8A () srtheismann eng emc com> Message-ID: <Pine.LNX.4.30.0303141634200.21106-100000 () oglamar genua de> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" On Thu, 13 Mar 2003, larosa, vjay wrote:
Some of the systems respond to a ping, none respond to any HTTP requests. It doesn't mean that they are not firewalled from incoming traffic though.
I checked the entries in my logs. The only one that responded was indeed an IIS. All other IP gave me a "connection refused" or a simple timeout. With that being said about the non-three-way-handshake hits, I wonder if some of the addresses are spoofed; coming from a compiled list or something. Except for one hit all came from (different) 217.x.y.z addresses. Anyone else observed something similar? Have fun, Chris. -- GeNUA mbH ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A> . ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- RE: CodeRed Observations. ## Christine_Kronberg () genua de root (Mar 18)