Post #3,695
8/3/01 2:55:29 AM
|
Code Red: 2x July 20 attack, and climbing
I'm watching Code Red connection attempts in my Apache server logs, and it appears the current attack is about twice the size of the July 20 event. I've got 42 hits since August 1, vs. 21 for the period July 19-21. To get a quick count, try: grep 'default\\.ida' access log | wc -l Any other numbers out there? --
Karsten M. Self [link|mailto:kmself@ix.netcom.com|kmself@ix.netcom.com]
What part of "gestalt" don't you understand?
|
Post #3,699
8/3/01 3:47:52 AM
|
Just for the record...
... since we talked on II, I had about 50 before Aug 1, and have had 100 since.
Wade.
"All around me are nothing but fakes
Come with me on the biggest fake of all!"
|
Post #3,707
8/3/01 9:03:31 AM
|
I have none...
for the 19th through the 21st - but 55 from the 1st through now.
So, it's considerably more than 'doubled'. *grin*
Imric's Tips for Living- Paranoia Is a Survival Trait
- Pessimists are never disappointed - but sometimes, if they are very lucky, they can be pleasantly surprised...
|
Post #3,712
8/3/01 9:52:57 AM
8/3/01 12:49:41 PM
|
Tell you later...(meaning now after edit)
...since my connection is on the fritz again. I think @home is having problems with the traffic...and in response are dropping connections. This is the 3rd time in 5 days...prior to this I had been online and up for about 6 months.
Anyway...now that the connection is restored...logs show 15 attempts the first go round...and 30 so far and counting on the second round.
Good that you had me look at the logs more closely though...cause some idiot is trying the 2k printer exploit on me also...twice so far. Idiot...
Um...er...well...
I have no choice!
[link|mailto:bepatient@aol.com|BePatient]
Edited by bepatient
Aug. 3, 2001, 12:49:41 PM EDT
|
Post #3,713
8/3/01 10:21:41 AM
|
Wow, that sounds familiar!
After all those issues that everyone's familiar with, I got their techies to come out and check things out.
Well, after two hours, them replacing all my connectors outside (supposedly they were bad), and wrestling with them because they insisted that I convert over to DHCP (luckily issues made them keep me on a static), they chalked it up to a few bad connectors.
And, guess what? I'm still going down a couple of times a day. I'm with you, Bill, I think this Code Red thing is causing @Home to burp badly.
What a pain.
-Jason
----
My pid is Inigo Montoya. You "killed -9" my parent process. Prepare to vi.
|
Post #3,718
8/3/01 10:47:57 AM
|
Same here
While my connection to the internet works, Road Runner's mail server has been having problems and refusing connections.
Darrell Spice, Jr.
[link|http://home.houston.rr.com/spiceware/|SpiceWare] - We don't do Windows, it's too much of a chore
|
Post #3,737
8/3/01 12:51:20 PM
|
Keenspot mail was down most of last week
because the server it was on was swamped by people who were (unbeknownst to them) sending every cartoonist on their outlook mail addressbook the "i send you this file in order to get your advice" virus as well as 200K attachments.
:)
Chris Wright
"We are all born originals -- why is it so many of us die copies?"
- Edward Young
|
Post #3,794
8/3/01 9:29:50 PM
|
Same here for Carolina RoadRunner. Sporadic outages.
Alex
Only two things are certain: the universe and human stupidity;
and I'm not certain about the universe.
-- Albert Einstein (1879-1955)
|
Post #3,782
8/3/01 6:22:47 PM
|
PacBell hit hard, too.
My business DSL is *very* slow and doesn't complete requests half the time. But my cts.net (local here in San Diego) 56K modem is doin' fine. But that doesn't help my users, since the 56k is tacked onto the email server. Everyone's unhappy :(
That's her, officer! That's the woman that programmed me for evil!
|
Post #3,784
8/3/01 8:10:41 PM
|
Mine: jps.net, OneMain.com, Earthlink - phones even!
The short form:
My incoming mail at jps.net has been down 2+ days. (jps was eaten by OneMain, eaten by EarthGodzilla; big hdwre changeoever since 7/15)
But all over their HQs - from Pasadena to AZ to Dallas, a series of 800# -- not merely huge wait lines but even when I use techniques related to phone extensions - get a live operator: 6x today, got trunk phone error audio: ~ like European emergency two-tone siren.
Got a case # assigned - they can't find my jps-alias, they tried assigning a B? B2 mailbox and waiting for that change to hit the dbase. NG after 24 hours. Now have a direct-line # but that Tech Support Supv. may or may not be in til Mon.
In brief - all the people - eventually contacted by stealth: were helpful and some even knowledgeable -- but there are apparently thousands (?) hanging on Earthlink-related 800#s last 2 days. (And maybe many like my exper. last night: one queue winds down, new inane voice mumbles and: back at start of the same queue!)
'Postal' may soon be replaced with 'Earth-linked'...
Anyone else tried ANY Earthlink #s recently?
(I'm switching to a local ISP, SAP - but still need Mirthlink to work for a time)
Ashton
who fortunately, doesn't care all That much about the screw-ups
(Logging on here ~ normal)
|
Post #3,795
8/3/01 10:00:43 PM
|
Me Too
25 in July
40 in August
I had a person at work tell me that their ISP told them they had a 'portion' of the CodeRed worm on their home Win9x box and that was why they couldn't dialup to the Internet. And Solitare wouldn't run either. Oh the horror!
--
Chris Altmann
|
Post #3,926
8/6/01 6:38:29 AM
|
AT&T @home ARP requests
According to Ethereal, I am being hit with ARP broadcast requests (79% of the traffic) from my gateway IP. WTF?? Is anyone else seeing this?
The support folkes at AT&T @home say code red is causing modems to appear busy, but I don't think that's my problem. Can anyone here confirm this?
-Don
|
Post #4,004
8/7/01 1:16:26 AM
|
Update...holy s**t
35 attempts today...and its just after 1am
1116 attempts to call default.ida yesterday.
Roughly 60 on Sunday.
My cable modem light is solid on at the moment. Traffic is just a little high around here...in the backwoods.
Think I'll drink me a Code Red in honor of this.
Um...er...well...
I have no choice!
[link|mailto:bepatient@aol.com|BePatient]
|
Post #4,028
8/7/01 10:19:14 AM
|
Just noticed the light
I was catching up on laundry last night when I noticed that my cable modem's data light was rapidly flashing even though none of my computers where turned on. My laundry room is centrally located so that's where I put my patch panel, cable modem and router.
Darrell Spice, Jr.
[link|http://home.houston.rr.com/spiceware/|SpiceWare] - We don't do Windows, it's too much of a chore
|
Post #4,075
8/7/01 2:49:04 PM
|
Send the offending IP's in
Send an email with the relevant entries in your logs to aris-report@securityfocus.com ; they are compiling a list of offenders.
That's her, officer! That's the woman that programmed me for evil!
|
Post #4,079
8/7/01 3:41:19 PM
|
Thanks! I've got quite a list happening here... !msg
--
----------------------------------------------------------
* Jack Troughton jake at jakesplace.dhs.org *
* [link|http://jakesplace.dhs.org|[link|http://jakesplace.dhs.org|http://jakesplace.dhs.org]] [link|ftp://jakesplace.dhs.org|[link|ftp://jakesplace.dhs.org|ftp://jakesplace.dhs.org]] *
* Montr\ufffdal PQ Canada [link|news://jakesplace.dhs.org|news://jakesplace.dhs.org] *
----------------------------------------------------------
|
Post #4,083
8/7/01 4:14:27 PM
|
Thanks...will compile and send tonight. Its a BIG list.
Um...er...well...
I have no choice!
[link|mailto:bepatient@aol.com|BePatient]
|
Post #4,022
8/7/01 10:03:57 AM
|
If you think that's bad... it's going crazy for me here
I've got 1247 since the beginning of August, and I've got one coming in every minute or so right now. snigger Good thing I'm not running IIS or Windows here. Actually... the funny thing is, I haven't really noticed it at all... except for my ISPs name server being down for a while last night. Man, talk about lame...
--
----------------------------------------------------------
* Jack Troughton jake at jakesplace.dhs.org *
* [link|http://jakesplace.dhs.org|[link|http://jakesplace.dhs.org|http://jakesplace.dhs.org]] [link|ftp://jakesplace.dhs.org|[link|ftp://jakesplace.dhs.org|ftp://jakesplace.dhs.org]] *
* Montr\ufffdal PQ Canada [link|news://jakesplace.dhs.org|news://jakesplace.dhs.org] *
----------------------------------------------------------
|
