It seems my blackice is going off constantly lately with ppl trying code red II attacks, also
TONS of HTTP attacks, and code red I. It just seems like a really sharp increase lately and I was wondering if you have noticed anything similar?
Printable View
It seems my blackice is going off constantly lately with ppl trying code red II attacks, also
TONS of HTTP attacks, and code red I. It just seems like a really sharp increase lately and I was wondering if you have noticed anything similar?
Ummm.. You sure it's Code Red II and not Code Red III that was announced to exist a few days ago? Check out Incidents and they'll show you what's rising. I suspect that's its more Code Red III.
Well I havent updated blackice in a while and it may be misinterpreting it.
But this has been trickling for about a month, just lately (bout a week) its been worse... Ill look into it tho, thanks for that heads up
I am concerned about the high number or port scans for bearshare. I have searched google and couldn't find any information on an exploit, but i can't help but to wonder. All p2p programs are backdoors into your system. I wonder if someone found a way to exploit privlages with bearshare.Quote:
Check out Incidents and they'll show you what's rising. I suspect that's its more Code Red III.
I have noticed a major increase of scanning activity in the last two days. I believe they are attributed to the latest variant of the Code Red virus and possibly the Deloder worm. I could be wrong though.
::coffee::
ccKid
My firewall IDS has logged a lot more HTTP attacks over the last week. Mainly Code Red and IIS scans. This is almost definitely because of the lastest worms.Quote:
It seems my blackice is going off constantly lately with ppl trying code red II attacks, also
TONS of HTTP attacks, and code red I. It just seems like a really sharp increase lately and I was wondering if you have noticed anything similar?
I'v been gettinc connection attempts from all over on port 35072, can any one confirm this? I havn't been able to figure out wot the port does, I'v checked a bunch of different lists but nada has turned up.....oh well.... :)
- Noia
I'v been gettinc connection attempts from all over on port 35072, can any one confirm this? I havn't been able to figure out wot the port does, I'v checked a bunch of different lists but nada has turned up.....oh well.... :)
- Noia
From what I'm seeing, the target port for this version of Code Red is still port 80.
I'm not sure what's hitting you Noia.
Cheers:
From what I'm seeing, the target port for this version of Code Red is still port 80.
I'm not sure what's hitting you Noia.
Cheers:
The only port I've noticed as of late that's been attacked on my system is port 445. The only worm/trojan I know related to this port is "Apher".Supposedly it only effects Windows XP and 2000.
And Noia, the best I could find about Port 35072 was on Internet Storm Center. Here's the link. This was best I could find.
Port 35072 activity
The only port I've noticed as of late that's been attacked on my system is port 445. The only worm/trojan I know related to this port is "Apher".Supposedly it only effects Windows XP and 2000.
And Noia, the best I could find about Port 35072 was on Internet Storm Center. Here's the link. This was best I could find.
Port 35072 activity
The only ports that i am being hit at are 445 and 6346 so im not much help for you either. Other than that havent noticed anything out of the ordinary.
PeacE
-BoB
The only ports that i am being hit at are 445 and 6346 so im not much help for you either. Other than that havent noticed anything out of the ordinary.
PeacE
-BoB
Well this link might tell you some stuff about it.
My source is: http://securityresponse.symantec.com...codered.f.html
As of March 11, 2003, Symantec Security Response has confirmed that a new minor variant of CodeRed II has been found in the wild.
CodeRed.F differs in only two bytes than the original CodeRed II. CodeRed II will restart the system if the year is greater than 2001. This is no longer the case for this variant.
Symantec antivirus products detect CodeRed.F as CodeRed Worm if it is saved to a file. The worm also drops a Trojan, which will be detected as Trojan.VirtualRoot. The existing CodeRed Removal Tool will correctly detect and remove this new variant.
Please click here for information on how to best leverage Symantec technologies to combat the CodeRed threat.
CodeRed.F scans IP addresses for vulnerable Microsoft IIS 4.0 and 5.0 Web servers and uses a buffer overflow vulnerability to infect the remote computers. The worm injects itself directly into memory, rather than copying itself as a file on the system. In addition, CodeRed.F creates a file detected as Trojan.VirtualRoot. Trojan.VirtualRoot gives the hacker full remote access to the Web server.
If you are running the Microsoft IIS Server, we recommend that you apply the latest Microsoft patch to protect yourself from this worm. The patch can be found at http://www.microsoft.com/technet/sec.../MS01-033.asp.
A cumulative patch for IIS, including the four patches released to date, is available at http://www.microsoft.com/technet/sec.../MS01-044.asp.
In addition, Trojan.VirtualRoot takes advantage of a vulnerability in Windows 2000. Download and install the following Microsoft security patch to address this problem and stop the Trojan from re-infecting the computer: http://www.microsoft.com/technet/sec.../MS00-052.asp.
Hope that helped!
Well this link might tell you some stuff about it.
My source is: http://securityresponse.symantec.com...codered.f.html
As of March 11, 2003, Symantec Security Response has confirmed that a new minor variant of CodeRed II has been found in the wild.
CodeRed.F differs in only two bytes than the original CodeRed II. CodeRed II will restart the system if the year is greater than 2001. This is no longer the case for this variant.
Symantec antivirus products detect CodeRed.F as CodeRed Worm if it is saved to a file. The worm also drops a Trojan, which will be detected as Trojan.VirtualRoot. The existing CodeRed Removal Tool will correctly detect and remove this new variant.
Please click here for information on how to best leverage Symantec technologies to combat the CodeRed threat.
CodeRed.F scans IP addresses for vulnerable Microsoft IIS 4.0 and 5.0 Web servers and uses a buffer overflow vulnerability to infect the remote computers. The worm injects itself directly into memory, rather than copying itself as a file on the system. In addition, CodeRed.F creates a file detected as Trojan.VirtualRoot. Trojan.VirtualRoot gives the hacker full remote access to the Web server.
If you are running the Microsoft IIS Server, we recommend that you apply the latest Microsoft patch to protect yourself from this worm. The patch can be found at http://www.microsoft.com/technet/sec.../MS01-033.asp.
A cumulative patch for IIS, including the four patches released to date, is available at http://www.microsoft.com/technet/sec.../MS01-044.asp.
In addition, Trojan.VirtualRoot takes advantage of a vulnerability in Windows 2000. Download and install the following Microsoft security patch to address this problem and stop the Trojan from re-infecting the computer: http://www.microsoft.com/technet/sec.../MS00-052.asp.
Hope that helped!
Yes, i get a code red attack at least once every 5 mins. it seemed to have stopped now. sometime it would get one every 2 secs. i use sygate firewall and it just says code red attacks. it also gives me the source ip. but cause the log was getting filled up heaps, i cleared the log.
there were two ip addresses but here is one of them thats stored in my ip tracer. i couldnt even get a whois on the ip address so....
210.122.22.9
<edit> now im getting hit every ten seconds. the ip is different but here it is. 210.52.32.159
hope someone figures out whats happening and fixes it soon.
</edit>
<edit2> hey, i just recovered my log file. here are all the hits for red code i got. most of these span about 3 days and often come is short bursts instead of regular hits. for example, for about 5 mins i get continuous hits about 10sec interval ect. anyways, here are all the IP addresses that i am getting hit by (starting at most recent):
210.52.32.159
210.122.22.9
210.52.46.233
210.61.49.213
210.181.239.150
210.50.112.145
</edit2>
Yes, i get a code red attack at least once every 5 mins. it seemed to have stopped now. sometime it would get one every 2 secs. i use sygate firewall and it just says code red attacks. it also gives me the source ip. but cause the log was getting filled up heaps, i cleared the log.
there were two ip addresses but here is one of them thats stored in my ip tracer. i couldnt even get a whois on the ip address so....
210.122.22.9
<edit> now im getting hit every ten seconds. the ip is different but here it is. 210.52.32.159
hope someone figures out whats happening and fixes it soon.
</edit>
<edit2> hey, i just recovered my log file. here are all the hits for red code i got. most of these span about 3 days and often come is short bursts instead of regular hits. for example, for about 5 mins i get continuous hits about 10sec interval ect. anyways, here are all the IP addresses that i am getting hit by (starting at most recent):
210.52.32.159
210.122.22.9
210.52.46.233
210.61.49.213
210.181.239.150
210.50.112.145
</edit2>
Well I just checked 5 servers
1 gets hit 7000+ a day
another get hits of 40+ a dau
even another gets it 8 times today...
and 2 never got touched today....
Go figure...
All servers but 1 is on the same IP class
This is for Nimda or Code Red II
Well I just checked 5 servers
1 gets hit 7000+ a day
another get hits of 40+ a dau
even another gets it 8 times today...
and 2 never got touched today....
Go figure...
All servers but 1 is on the same IP class
This is for Nimda or Code Red II
Ive noticed there was some negging and then counternegging on this thread. but what surprised me is one of the negs I got was completely blank.... either somethings broken, comprimised or the system has been changed to allow totally anonymous and explinationless negs.
Interesting.
Ive noticed there was some negging and then counternegging on this thread. but what surprised me is one of the negs I got was completely blank.... either somethings broken, comprimised or the system has been changed to allow totally anonymous and explinationless negs.
Interesting.
avenger_jcc, its true that you need to put a msg there to assign AP's but if you put a space then that counts as a character therefore the msg isnt really blank. try it out
avenger_jcc, its true that you need to put a msg there to assign AP's but if you put a space then that counts as a character therefore the msg isnt really blank. try it out
I'v added a copy of my Router Log's....Hope some one here can figure them out....oh well, thanx to the link ShagDevil, loks like other ppl are getting this problem too, but theres no info as to why.....oh well
- Noia
PS: rename the file from *.zip to *.xls
I'v added a copy of my Router Log's....Hope some one here can figure them out....oh well, thanx to the link ShagDevil, loks like other ppl are getting this problem too, but theres no info as to why.....oh well
- Noia
PS: rename the file from *.zip to *.xls