nanog mailing list archives
Re: Worm probes
From: ravi pina <ravi () cow org>
Date: Tue, 18 Sep 2001 11:35:28 -0400
indeed. scanning for strings that appear to be associated with the Concept Virus(CV) V.5, there is a tremendous increase in bandwidth usage. today alone i match: /scripts: 18013 /_vti_bin: 1885 _mem_bin: 1916 /ms_adc/: 1945 /winnt/system32: 27648 bugtraq is starting to get in the preliminary reports of this worm. beware that infected host's home pages contain a javascript that sends you to a page that attempts to send you a copy of the worm. fantastic, eh? -r On Tue, Sep 18, 2001 at 11:05:35AM -0400, up () 3 am said at one point in time:
ugh...this is way more impact...a 128k ISDN customer running an NT/Win2k box is at 100% BW, and my 2x T1's are at about 2x normal traffic for this time of day, although still well short of capacity...apache server processor load is WAY up just from the requests, and the logs are growing like mad. On Tue, 18 Sep 2001, deeann mikula wrote:On Tue, 18 Sep 2001, ravi pina wrote:On Tue, Sep 18, 2001 at 09:54:31AM -0400, sigma () pair com said at one point in time:Has anyone else been seeing a dramatic increase in /scripts/.. NT worm probes this morning? We're seeing about 8000/second, starting around 9:15 Eastern time, to and from a wide variety of addresses.affirmative. i just looked at my logs, and it looks like each probe tries a bunch of things. i haven't seen much on the lists, but i'm looking right now.i'm pretty sure that the worm's attack phase starts on the 20th (which of course, depends upon a correctly set system clock) and also that attempting to execute something like /scripts/root.ext/c++ something is involved. i think that cert's website would be a good place to look. i'm *not* a security/virus chick, but i did host a talk by marty linder of cert where he discected code red's activity and presented a summary. cert is of course, http://www.cert.org. deeann m.m. mikula director of operations telerama public access internet http://www.telerama.com 1.877.688.3200James Smallacombe PlantageNet, Inc. CEO and Janitor up () 3 am http://3.am =========================================================================
-- echo "send pgp key" | mail ravi () cow org ; ravi@happy:/home/ravi# rm -rf /bin/laden "Now I don't want you to worry, class. These tests will have no effect on your grades. They merely determine your future social status and financial success. If any." -- Mrs. Krabappel
Current thread:
- Worm probes sigma (Sep 18)
- Re: Worm probes ravi pina (Sep 18)
- Re: Worm probes deeann mikula (Sep 18)
- Re: Worm probes up (Sep 18)
- Re: Worm probes Bryan Heitman (Sep 18)
- Re: Worm probes Valdis . Kletnieks (Sep 18)
- Re: Worm probes Eric Gauthier (Sep 18)
- Re: Worm probes.. Looking for captures. Michael Airhart (Sep 18)
- Re: Worm probes deeann mikula (Sep 18)
- Re: Worm probes Chris Grout (Sep 18)
- Re: Worm probes ravi pina (Sep 18)
- Re: Worm probes ravi pina (Sep 18)
- RE: Worm probes Mark Radabaugh - Amplex (Sep 18)
- RE: Worm probes Mark Radabaugh - Amplex (Sep 18)
- RE: Worm probes Tim Winders (Sep 18)
- Re: Worm probes Jared Mauch (Sep 18)
- Re: Worm probes Bill Larson (Sep 18)
- Re: Worm probes Christopher X. Candreva (Sep 18)
- Re: Worm probes Bill Larson (Sep 18)
- Re: Worm probes sigma (Sep 18)
- Re: Worm probes Valdis . Kletnieks (Sep 18)
- RE: Worm probes Eric Germann (Sep 18)