mailing list archives
RE: Worm probes
From: "Smith, Rick" <rsmith () atsworld com>
Date: Tue, 18 Sep 2001 10:40:23 -0400
For the past 2 weeks or so, we were averaging 1,200 probes per hour.
As of 8 or so this morning, we started averaging > 25,000 per hour!
I've noticed that at the same time, we started getting probes from our
provider's space (uniquely 23 addresses there), but not our own. Until this
morning, we had *0* probes from inside our provider's space.
Maybe this is the next round kicking off, looking for things to infect
locally before searching the world again.
P.S. - Right now: (looks like it will be a bit over 25k this hour :)
[root /usr/local/bin]# checkcodered.bash
Code Red Log Checker
Number of attacks...
Number of unique addresses...
From: Daniel Senie [mailto:dts () senie com]
Sent: Tuesday, September 18, 2001 10:26 AM
To: sigma () pair com; nanog () merit edu
Subject: Re: Worm probes
At 09:54 AM 9/18/01, sigma () pair com wrote:
Has anyone else been seeing a dramatic increase in /scripts/.. NT worm
probes this morning? We're seeing about 8000/second, starting around 9:15
Eastern time, to and from a wide variety of addresses.
Is CodeRed or one of its relatives scheduled to start sweeping again today?
We've never seen this level of traffic related to the NT worms. Even
though we don't run any NT at all, we still have to suffer :(
First ones appeared today, and so far I see 17650 attempts on just one of
my servers. We don't run any Microsoft stuff either, but that doesn't keep
our servers from getting hammered...
Daniel Senie dts () senie com
Amaranth Networks Inc. http://www.amaranth.com
RE: Worm probes Don Lundquist (Sep 18)
RE: Worm probes Smith, Rick (Sep 18)
RE: Worm probes Los, Ralph (Sep 18)
FW: Worm probes Braun, Mike (Sep 18)
RE: Worm probes Roeland Meyer (Sep 18)
FW: Re: Worm probes Roeland Meyer (Sep 18)