[lug] wild activity, don't know why.

Prescott Oelke plkey at home.com
Thu Aug 9 11:27:13 MDT 2001


My activity light has been lit up constantly for the last 3 days now. It 
subsides every once in awhile, but otherwise has been pretty constant. If 
it is a DOS attack, it's a pretty poor one. It hasn't affected my ability 
to access anything at all yet. Even my ping in Tribes 2 hasn't been 
affected all that much. If anyone knows of another reason for this besides 
Code Red, I'd like to hear it. So far everybody I know who has a cable 
connection is having the same issues.

I'd like to know how so many people are running this web server and don't 
even know it.

Prescott Oelke

At 10:59 AM 8/9/2001 -0600, you wrote:
>more info:
>I downloaded iptraf and it looks like there is nothing but ARP going across
>the pipe. I can't tell the to or from addresses though. Is there a way to
>see if I am the one generating all the arp traffic?
>
>Perhaps I've been hacked and I'm being used to DOS the local pipe by ARPing
>it to death.
>Or maybe someone else has fallen victim to this fate.
>
>This doesn't appear to be CodeRed to me.
>I did get 375 hits from it yesterday and already 45 today, but that doesn't
>account for a constantly steady activity light.
>
>That's too bad about losing our ability to serve http requests. I'll miss
>that sorely.
>
> > -----Original Message-----
> > From: Prescott Oelke [mailto:plkey at home.com]
> > Sent: Thursday, August 09, 2001 10:49 AM
> > To: lug at lug.boulder.co.us
> > Subject: RE: [lug] wild activity, don't know why.
> >
> >
> > I've talked to AT&T about this and they have had major
> > problems with Code
> > Red on their cable network (which I am also on). Code Red
> > chooses to scan
> > computers on its own section of the Internet apparently,
> > before venturing
> > further out. Almost all the hits I have been getting are on
> > port 80 and
> > from the 65.x.x.x address block (where my IP resides).
> >
> > Basically someone (a lot of someones) set up a webserver using M$ IIS
> > server and hasn't patched it yet (most, I've discovered,
> > aren't even aware
> > they're running it). So everytime they turn their machines on
> > Code Red
> > begins scanning to find new machines to infect. The guy at
> > AT&T @Home said
> > that they were going to block port 80 off from the outside
> > world on their
> > network. All good and well, but that won't stop computers inside the
> > network from scanning.
> >
> > I got over 600 hits to my port 80 yesterday alone.
> >
> > Prescott Oelke
> >
> > At 10:17 AM 8/9/2001 -0600, you wrote:
> > >I've been seeing a lot of articles in the news lately about
> > this thing
> > >called "Code Red"...
> > >
> > >-----Original Message-----
> > >From: Holshouser, David [mailto:dholshou at ball.com]
> > >
> > >My brother called yesterday to inform me that the activity
> > light has been
> > >solid for the last few days.
> > >I unshared all web content that might have been causing the
> > activity (mp3).
> > >Everything seemed ok.
> > >This morning I got another call with the same message.
> > >_______________________________________________
> > >Web Page:  http://lug.boulder.co.us
> > >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug





More information about the LUG mailing list