 RyanPremium
join:2001-03-03
Quincy, MA | HOLY PORT 80 I happend to look at my modem and it was blinking like crazy so I went into my firewall log and there are tons of attempts to go to port 80. I thought that worm was gone hehhehe guess not. |
|
 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by POOoOoOPs:
I thought that worm was gone hehhehe guess not.
The Code Red worm will be with us for some time. The media has reported it it as "lessening", which mainly means the rate of new infections. But machines that are already infected will keep on crawling until they get shut down or patched, and in some cases this could be a very long time (a year?).
Get used to it 
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
| I have had a LOT of port 80 hits in the last 24 hours. |
|
|
|
 wafenMr woogiePremium,Mod
join:2001-02-01
Maplewood MN
kudos:1 | reply to Ryan
I have had more port 80 hits in the last 3 hrs than in the last 3 weeks.
Most coming from RR Houston IP's. |
|
 izyPremium,MVM
join:2000-09-21
endless loop
kudos:1 | reply to Ryan
Me too!!! Port 80 is being hit about every 5 minutes from RR ip's. |
|
RyanPremium
join:2001-03-03
Quincy, MA | reply to Ryan
MY logs now about 4x that size. |
|
wafenMr woogiePremium,Mod
join:2001-02-01
Maplewood MN
kudos:1
| reply to izy
Hey neighbor.:)
Are the hits mostly from Houston?
[text was edited by author 2001-08-04 11:55:14] |
|
izyPremium,MVM
join:2000-09-21
endless loop
kudos:1 | So why aren't you outside on this beautiful, sultry day 
Mostly. I've had a couple others from small ISP's.
btw, I am on RR also. |
|
Anon | reply to Ryan
I am watching my modem light here blink like crazy too,
I'm not concerned because I'm not a Windows user.........
do you think we should send the code red author to
Singapore? I'll be they could peform a nice flogging on
him for all the hassle he is causing everyone! |
|
wafenMr woogiePremium,Mod
join:2001-02-01
Maplewood MN
kudos:1 Reviews:
 ·Comcast Formerl..
Host:
Mediacom
Cable users
For Sale/Wanted
Electronics
Cable & Satellite TV
| reply to izy
said by phishe:
So why aren't you outside on this beautiful, sultry day
Mostly. I've had a couple others from small ISP's.
btw, I am on RR also.
Working of course.;)
I am on RR also, but AAT Broadband is switching to @Home.
41 hits now. 21 from Houston.:(
--
Join Team Helix! It's the only way to fold.
|
|
| reply to Ryan
I've had quite a few attempts. Anywhere from Texas, Korea, China, you name it.
I've only had a few today. But the last day or so, I've had a ton of attempts. |
|
RyanPremium
join:2001-03-03
Quincy, MA | reply to Ryan
LOOK at how fast these things are attacking me. You would think that im downloading somthing by how fast my modem is blinking. This is getting anoying! |
|
RyanPremium
join:2001-03-03
Quincy, MA | reply to Ryan
Theres the same ip coming from shawcable.net I went to there webpage and they have a contact email address. Should I report it to them? |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by POOoOoOPs:
Theres the same ip coming from shawcable.net I went to there webpage and they have a contact email address. Should I report it to them?
No, because you don't have enough data to do this. All you have are connection attempts, and though this is probably the worm, it's not proof. You have to accept the connection on port 80 and read their request before you really know that you're getting probed.
Firewall logs = no.
Web server logs = yes
For what it's worth, if you are able to actually visit the web page that hit you, this suggests to me that they are not infected. Machines that are infected are typically very badly bogged down and do not respond to port 80 requests (they have saturated their pipes with infection attempts).
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
RyanPremium
join:2001-03-03
Quincy, MA | reply to Ryan
No its an isp its not coming directly from them its coming from a user off of them. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to Ryan
said by POOoOoOPs:
LOOK at how fast these things are attacking me. You would think that im downloading somthing by how fast my modem is blinking. This is getting anoying!
Your modem is blinking because of all the reverse DNS traffic generated by your firewall. The "attacks" that come in are single packets that are very small, but TPF is doing "research" on the "attacker", and this takes up much more of your bandwidth than the probes.
I don't know TPF at all, but if you can set port 80 to a non stealth mode (where it rejects, rather than drops, each probe), you'll see your traffic drop by two thirds.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
wafenMr woogiePremium,Mod
join:2001-02-01
Maplewood MN
kudos:1 Reviews:
·Comcast Formerl..
Host:
Mediacom
Cable users
For Sale/Wanted
Electronics
Cable & Satellite TV
| Steve,
If a disproportional amount of hits are coming from RR Houston, would that indicate that they are infected with Code Red. Or does it mean nothing?
--
Join Team Helix! It's the only way to fold.
|
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by wafen:
If a disproportional amount of hits are coming from RR Houston, would that indicate that they are infected with Code Red. Or does it mean nothing?
"RR Houston" is like saying "society" -- not something you can actually stick your fingers on. Machines are infected on an individual basis -- only -- and the search for infected machines is done on a random basis.
I suspect one could say that your numbers suggest something about the skills of home cable modem users in Houston, but this might get me in trouble
I've found no meaningful pattern to the source scans.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
wafenMr woogiePremium,Mod
join:2001-02-01
Maplewood MN
kudos:1 |
Ok,
Thanks Steve.
I think they have problems in Houston.;):(
|
|
RyanPremium
join:2001-03-03
Quincy, MA | reply to Ryan
Well I just cleared my log it was so full of attempts. How long would you think this is gona go on for? |
|
