-
March 15th, 2003, 01:38 AM
#11
The only port I've noticed as of late that's been attacked on my system is port 445. The only worm/trojan I know related to this port is "Apher".Supposedly it only effects Windows XP and 2000.
And Noia, the best I could find about Port 35072 was on Internet Storm Center. Here's the link. This was best I could find.
Port 35072 activity
The object of war is not to die for your country but to make the other bastard die for his - George Patton
-
March 15th, 2003, 01:38 AM
#12
The only port I've noticed as of late that's been attacked on my system is port 445. The only worm/trojan I know related to this port is "Apher".Supposedly it only effects Windows XP and 2000.
And Noia, the best I could find about Port 35072 was on Internet Storm Center. Here's the link. This was best I could find.
Port 35072 activity
The object of war is not to die for your country but to make the other bastard die for his - George Patton
-
March 15th, 2003, 02:18 AM
#13
The only ports that i am being hit at are 445 and 6346 so im not much help for you either. Other than that havent noticed anything out of the ordinary.
PeacE
-BoB
-
March 15th, 2003, 02:18 AM
#14
The only ports that i am being hit at are 445 and 6346 so im not much help for you either. Other than that havent noticed anything out of the ordinary.
PeacE
-BoB
-
March 15th, 2003, 11:28 AM
#15
Well this link might tell you some stuff about it.
My source is: http://securityresponse.symantec.com...codered.f.html
As of March 11, 2003, Symantec Security Response has confirmed that a new minor variant of CodeRed II has been found in the wild.
CodeRed.F differs in only two bytes than the original CodeRed II. CodeRed II will restart the system if the year is greater than 2001. This is no longer the case for this variant.
Symantec antivirus products detect CodeRed.F as CodeRed Worm if it is saved to a file. The worm also drops a Trojan, which will be detected as Trojan.VirtualRoot. The existing CodeRed Removal Tool will correctly detect and remove this new variant.
Please click here for information on how to best leverage Symantec technologies to combat the CodeRed threat.
CodeRed.F scans IP addresses for vulnerable Microsoft IIS 4.0 and 5.0 Web servers and uses a buffer overflow vulnerability to infect the remote computers. The worm injects itself directly into memory, rather than copying itself as a file on the system. In addition, CodeRed.F creates a file detected as Trojan.VirtualRoot. Trojan.VirtualRoot gives the hacker full remote access to the Web server.
If you are running the Microsoft IIS Server, we recommend that you apply the latest Microsoft patch to protect yourself from this worm. The patch can be found at http://www.microsoft.com/technet/sec.../MS01-033.asp.
A cumulative patch for IIS, including the four patches released to date, is available at http://www.microsoft.com/technet/sec.../MS01-044.asp.
In addition, Trojan.VirtualRoot takes advantage of a vulnerability in Windows 2000. Download and install the following Microsoft security patch to address this problem and stop the Trojan from re-infecting the computer: http://www.microsoft.com/technet/sec.../MS00-052.asp.
Hope that helped!
-
March 15th, 2003, 11:28 AM
#16
Well this link might tell you some stuff about it.
My source is: http://securityresponse.symantec.com...codered.f.html
As of March 11, 2003, Symantec Security Response has confirmed that a new minor variant of CodeRed II has been found in the wild.
CodeRed.F differs in only two bytes than the original CodeRed II. CodeRed II will restart the system if the year is greater than 2001. This is no longer the case for this variant.
Symantec antivirus products detect CodeRed.F as CodeRed Worm if it is saved to a file. The worm also drops a Trojan, which will be detected as Trojan.VirtualRoot. The existing CodeRed Removal Tool will correctly detect and remove this new variant.
Please click here for information on how to best leverage Symantec technologies to combat the CodeRed threat.
CodeRed.F scans IP addresses for vulnerable Microsoft IIS 4.0 and 5.0 Web servers and uses a buffer overflow vulnerability to infect the remote computers. The worm injects itself directly into memory, rather than copying itself as a file on the system. In addition, CodeRed.F creates a file detected as Trojan.VirtualRoot. Trojan.VirtualRoot gives the hacker full remote access to the Web server.
If you are running the Microsoft IIS Server, we recommend that you apply the latest Microsoft patch to protect yourself from this worm. The patch can be found at http://www.microsoft.com/technet/sec.../MS01-033.asp.
A cumulative patch for IIS, including the four patches released to date, is available at http://www.microsoft.com/technet/sec.../MS01-044.asp.
In addition, Trojan.VirtualRoot takes advantage of a vulnerability in Windows 2000. Download and install the following Microsoft security patch to address this problem and stop the Trojan from re-infecting the computer: http://www.microsoft.com/technet/sec.../MS00-052.asp.
Hope that helped!
-
March 15th, 2003, 12:12 PM
#17
Yes, i get a code red attack at least once every 5 mins. it seemed to have stopped now. sometime it would get one every 2 secs. i use sygate firewall and it just says code red attacks. it also gives me the source ip. but cause the log was getting filled up heaps, i cleared the log.
there were two ip addresses but here is one of them thats stored in my ip tracer. i couldnt even get a whois on the ip address so....
210.122.22.9
<edit> now im getting hit every ten seconds. the ip is different but here it is. 210.52.32.159
hope someone figures out whats happening and fixes it soon.
</edit>
<edit2> hey, i just recovered my log file. here are all the hits for red code i got. most of these span about 3 days and often come is short bursts instead of regular hits. for example, for about 5 mins i get continuous hits about 10sec interval ect. anyways, here are all the IP addresses that i am getting hit by (starting at most recent):
210.52.32.159
210.122.22.9
210.52.46.233
210.61.49.213
210.181.239.150
210.50.112.145
</edit2>
- Trying is the first step towards failure. the moral is never try.
- It\'s like something out of that twilighty show about that zone.
----Homer J Simpson----
-
March 15th, 2003, 12:12 PM
#18
Yes, i get a code red attack at least once every 5 mins. it seemed to have stopped now. sometime it would get one every 2 secs. i use sygate firewall and it just says code red attacks. it also gives me the source ip. but cause the log was getting filled up heaps, i cleared the log.
there were two ip addresses but here is one of them thats stored in my ip tracer. i couldnt even get a whois on the ip address so....
210.122.22.9
<edit> now im getting hit every ten seconds. the ip is different but here it is. 210.52.32.159
hope someone figures out whats happening and fixes it soon.
</edit>
<edit2> hey, i just recovered my log file. here are all the hits for red code i got. most of these span about 3 days and often come is short bursts instead of regular hits. for example, for about 5 mins i get continuous hits about 10sec interval ect. anyways, here are all the IP addresses that i am getting hit by (starting at most recent):
210.52.32.159
210.122.22.9
210.52.46.233
210.61.49.213
210.181.239.150
210.50.112.145
</edit2>
- Trying is the first step towards failure. the moral is never try.
- It\'s like something out of that twilighty show about that zone.
----Homer J Simpson----
-
March 16th, 2003, 12:37 AM
#19
Code Red 2 or 3 or Nimda
Well I just checked 5 servers
1 gets hit 7000+ a day
another get hits of 40+ a dau
even another gets it 8 times today...
and 2 never got touched today....
Go figure...
All servers but 1 is on the same IP class
This is for Nimda or Code Red II
Franklin Werren at www.bagpipes.net
Yes I do play the Bagpipes!
And learning to Play the Bugle
-
March 16th, 2003, 12:37 AM
#20
Code Red 2 or 3 or Nimda
Well I just checked 5 servers
1 gets hit 7000+ a day
another get hits of 40+ a dau
even another gets it 8 times today...
and 2 never got touched today....
Go figure...
All servers but 1 is on the same IP class
This is for Nimda or Code Red II
Franklin Werren at www.bagpipes.net
Yes I do play the Bagpipes!
And learning to Play the Bugle
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|