[lug] wild activity, don't know why.

Holshouser, David dholshou at ball.com
Thu Aug 9 10:59:30 MDT 2001 

more info:
I downloaded iptraf and it looks like there is nothing but ARP going across
the pipe. I can't tell the to or from addresses though. Is there a way to
see if I am the one generating all the arp traffic?

Perhaps I've been hacked and I'm being used to DOS the local pipe by ARPing
it to death.
Or maybe someone else has fallen victim to this fate.

This doesn't appear to be CodeRed to me. 
I did get 375 hits from it yesterday and already 45 today, but that doesn't
account for a constantly steady activity light.

That's too bad about losing our ability to serve http requests. I'll miss
that sorely.

> -----Original Message-----
> From: Prescott Oelke [mailto:plkey at home.com]
> Sent: Thursday, August 09, 2001 10:49 AM
> To: lug at lug.boulder.co.us
> Subject: RE: [lug] wild activity, don't know why.
> 
> 
> I've talked to AT&T about this and they have had major 
> problems with Code 
> Red on their cable network (which I am also on). Code Red 
> chooses to scan 
> computers on its own section of the Internet apparently, 
> before venturing 
> further out. Almost all the hits I have been getting are on 
> port 80 and 
> from the 65.x.x.x address block (where my IP resides).
> 
> Basically someone (a lot of someones) set up a webserver using M$ IIS 
> server and hasn't patched it yet (most, I've discovered, 
> aren't even aware 
> they're running it). So everytime they turn their machines on 
> Code Red 
> begins scanning to find new machines to infect. The guy at 
> AT&T @Home said 
> that they were going to block port 80 off from the outside 
> world on their 
> network. All good and well, but that won't stop computers inside the 
> network from scanning.
> 
> I got over 600 hits to my port 80 yesterday alone.
> 
> Prescott Oelke
> 
> At 10:17 AM 8/9/2001 -0600, you wrote:
> >I've been seeing a lot of articles in the news lately about 
> this thing
> >called "Code Red"...
> >
> >-----Original Message-----
> >From: Holshouser, David [mailto:dholshou at ball.com]
> >
> >My brother called yesterday to inform me that the activity 
> light has been
> >solid for the last few days.
> >I unshared all web content that might have been causing the 
> activity (mp3).
> >Everything seemed ok.
> >This morning I got another call with the same message.
> >_______________________________________________
> >Web Page:  http://lug.boulder.co.us
> >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>

More information about the LUG mailing list