Re: A watched pot never boils: The Return of Code Red

[Andy Bradford <bradipo () xmission com>]

Thus said Sean Donelan on 01 Aug 2001 01:21:18 PDT:

> Any updates from the field?

Today I saw an extremely high number  of scans of port 80 being blocked 
at the  firewall for  seemingly random  IPs within our  /21 at  work. I 
wasn't really certain whether it was a distributed attack using spoofed 
IPs or whether it was related to Code Red... I'm still seeing them even 
now (I hope this isn't inappropriate for this list):

Aug  1 21:29:44 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 211.72.54.109:2162 216.250.133.18:80 L=48 S=0x00 I=16335 
F=0x4000 T=111 SYN (#601) 
Aug  1 21:29:45 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 148.245.219.161:2328 216.250.132.139:80 L=48 S=0x00 
I=21203 F=0x4000 T=116 SYN (#601) 
Aug  1 21:29:47 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 203.126.253.242:50221 216.250.135.40:80 L=48 S=0x00 
I=24959 F=0x4000 T=106 SYN (#601) 
Aug  1 21:29:49 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 63.214.199.137:4107 216.250.134.32:80 L=48 S=0x00 I=2393 
F=0x4000 T=114 SYN (#601) 
Aug  1 21:29:49 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 193.251.1.38:52206 216.250.130.33:80 L=48 S=0x00 I=20648 
F=0x4000 T=101 SYN (#601) 
Aug  1 21:29:49 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 217.83.8.106:3030 216.250.130.163:80 L=48 S=0x00 I=64392 
F=0x4000 T=109 SYN (#601) 
Aug  1 21:29:50 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 211.72.54.109:2162 216.250.133.18:80 L=48 S=0x00 I=18317 
F=0x4000 T=111 SYN (#601) 
Aug  1 21:29:50 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 66.57.43.29:4461 216.250.130.89:80 L=64 S=0x00 I=4773 
F=0x0000 T=112 SYN (#601) 
Aug  1 21:29:50 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 195.34.25.110:21213 216.250.128.7:80 L=48 S=0x00 I=39855 
F=0x4000 T=112 SYN (#601) 
Aug  1 21:29:50 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 203.126.253.242:50221 216.250.135.40:80 L=48 S=0x00 
I=25095 F=0x4000 T=106 SYN (#601) 
Aug  1 21:29:51 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 148.245.219.161:2328 216.250.132.139:80 L=48 S=0x00 
I=21441 F=0x4000 T=116 SYN (#601) 
Aug  1 21:29:52 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 63.168.101.197:1147 216.250.133.251:80 L=48 S=0x00 
I=63886 F=0x4000 T=114 SYN (#601) 
Aug  1 21:29:52 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 193.251.1.38:52206 216.250.130.33:80 L=48 S=0x00 I=20892 
F=0x4000 T=101 SYN (#601) 
Aug  1 21:29:53 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 66.57.43.29:4461 216.250.130.89:80 L=64 S=0x00 I=4840 
F=0x0000 T=112 SYN (#601) 
Aug  1 21:29:53 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 195.34.25.110:21213 216.250.128.7:80 L=48 S=0x00 I=40036 
F=0x4000 T=112 SYN (#601) 
Aug  1 21:29:55 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 63.168.101.197:1147 216.250.133.251:80 L=48 S=0x00 
I=63983 F=0x4000 T=114 SYN (#601) 
Aug  1 21:29:56 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 195.16.50.219:1363 216.250.134.218:80 L=48 S=0x00 I=23989 
F=0x4000 T=114 SYN (#601) 
Aug  1 21:29:56 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 208.62.155.69:40665 216.250.134.69:80 L=48 S=0x00 I=43342 
F=0x4000 T=116 SYN (#601) 
Aug  1 21:29:57 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 203.126.253.242:50221 216.250.135.40:80 L=48 S=0x00 
I=25408 F=0x4000 T=106 SYN (#601) 
Aug  1 21:29:59 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 195.16.50.219:1363 216.250.134.218:80 L=48 S=0x00 I=24244 
F=0x4000 T=114 SYN (#601) 
Aug  1 21:29:59 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 66.57.43.29:4461 216.250.130.89:80 L=64 S=0x00 I=4990 
F=0x0000 T=112 SYN (#601) 
Aug  1 21:29:59 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 193.251.1.38:52206 216.250.130.33:80 L=48 S=0x00 I=21512 
F=0x4000 T=101 SYN (#601) 
Aug  1 21:29:59 fgw kernel: Packet log: dmz DENY eth1 PROTO=6 208.62.155.69:40665 216.250.134.69:80 L=48 S=0x00 I=45235 
F=0x4000 T=116 SYN (#601) 
        
Andy
-- 
GnuPG ID 0xA63888C9 (D2DA 68C9 BB2B 26B4 8204  2219 A43E F450 A638 88C9)
[-----------[system uptime]--------------------------------------------]
  9:30pm  up 22 days, 20:09,  6 users,  load average: 1.22, 1.16, 1.18