 rrlover
join:2001-03-25
Marlborough, CT
| CODE RED LOVES HTTP For the past 2 days Blackice has been logging over 20 hits to http port 80. Interesting i use rr in nyc and all the ip addresses are from rr in nyc also (66.65.xxx.xxx). does this mean anything????
[text was edited by author 2001-08-04 13:28:09] |
|
| I was going to post that question in here. I have been getting 20-40 HTTP port probes a day. Harmless to me and silly enough, they are coming from @Home IPs to @Home IPs. It is rather irritating even if they are harmless.
--
The only perfect science is hind-sight. |
|
rrlover
join:2001-03-25
Marlborough, CT | why are we getting hit from our specific isp????? |
|
|
|
 cagelinkBofh
join:2001-04-15
Tallahassee, FL | reply to rrlover
I checked my apache logs and i've been hit with Code Red alittle less than 100 times already.
blouz |
|
 RyanPremium
join:2001-03-03
Quincy, MA | reply to rrlover
Hop on over to »HOLY PORT 80
It talks about it a little more. |
|
| reply to rrlover
Not sure. Take the IPs of the http probes and add it after » in your browser. 75% of the ones I do that to, say this
--
The only perfect science is hind-sight. |
|
RyanPremium
join:2001-03-03
Quincy, MA | reply to rrlover
YUP |
|
 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by POOoOoOPs:
YUP
This presumed variant doesn't deface the web page, it seems to disable it, and I've done a preliminary writeup of this at http://www.unixwiz.net/techtips/CodeRedII.html . Running out the door, will dig into this more later.
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
| Damn smart people! Thanks Steve. |
|
| reply to rrlover
The other common occurrence is the probe occurs a minimum of 2 times and 3 times is most common. I am not sure why.
If you are running a server of some sort, as I have a webcam, will changing the server port away from 80 or 8080 to another such as 7000 help? IS this code red thing specifically designed for port 80 or can it retrieve port information from the server?
--
The only perfect science is hind-sight. |
|
Anon | reply to rrlover
Same thing has been happening to me for the past few days as well. 75% of the http hits are coming from the same RR region as me. Really weird! |
|
 wafenMr woogiePremium,Mod
join:2001-02-01
Maplewood MN
kudos:1
 ·Comcast Formerl..
Host:
Mediacom
Cable users
For Sale/Wanted
Electronics
Cable & Satellite TV
| reply to superchaos
said by superchaos:
The other common occurrence is the probe occurs a minimum of 2 times and 3 times is most common. I am not sure why.
said by SJFriedl:
It's Code Red wandering the globe, and you get three hits per hit because you're in stealth mode. You can cut this down by two thirds by telling your firewall to reject, not drop, the inbound connections to port 80.
In any case, don't give it another thought: you're safe.
Steve
superchaos,
I found this in another thread. It probably explains what your seeing.
wiggum,
It wouldn't happen to be Houston your seeing, is it?
--
Join Team Helix! It's the only way to fold.
|
|
| I am too lazy to go through all of them. Here is a pic of the last hour.
--
The only perfect science is hind-sight. |
|
wafenMr woogiePremium,Mod
join:2001-02-01
Maplewood MN
kudos:1 | I have over a 126 IP's with 2 to 3 hit per IP.
I am getting one on average every 45 seconds.
They are annoying, but no big deal.:) |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by wafen:
They are annoying, but no big deal.:)
This is true, and your firewall rulesets are making this much worse.
A good firewall ruleset will reject the connection on port 80 (send an ICMP port unreachable), so the other end sends only one SYN packet to start the TCP connection. Then it's over.
A bad firewall ruleset will drop the packet entirely, which causes the other end to (automatically) send a couple more -- this is how TCP operates. What's worse, the firewall will do an inverse lookup on the IP, and this generates DNS traffic back and forth.
If the only thing you have are blocked TCP connections to port 80, you simply don't have enough data to do anything, so do not send off notes to ISPs and the like. Only actual web server logs can be helpful here.
Please, no logs of "attacks".
Steve
--
Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net |
|
wafenMr woogiePremium,Mod
join:2001-02-01
Maplewood MN
kudos:1 | Yeah,
but I have a toy Firewall like ZA Free.(Didn't think anyone would remember.);););) |
|
| reply to Steve
Unless it's from servers inside NOAA..... or Unixwiz. 
I have not gotten attacked by a government server since I notified them of the problem.. so maybe they've plugged the holes. |
|
 FlippantSo Much For SubtletyPremium,Mod
join:2000-06-04
Katy, TX | reply to rrlover
Yepper, seeing Code Red all day. Normally I might have a dozen or so ZA alerts, today I am up to 80 already, more than half are HTTP, quite a few port scans as well, but since nothing is penetrating and I am not running IIS then no worries. |
|
 Occasu$
join:2001-07-20
North Vancouver, BC | reply to rrlover
This is kind of funny .. since i read ur post about alot of alerts coming from people on the same isp as u, i have been getting the same thing... i would say 60% of alerts today on port 80 are coming from other people usin the isp as me. I dont remember this being the case on other days.
--
Those who do not remember the past, are condemned to repeat it. |
|
| reply to rrlover
Well what is your port 80 ?
Your HTTP port is port 80 so its sending fake HTTP packets to you on port 80 to slow down your inetrent I think . ... |
|
