[lug] Code Rainbow: New attack, MUCH nastier...
D. Stimits
stimits at idcomm.com
Tue Sep 18 12:07:42 MDT 2001
"Michael J. Hammel" wrote:
>
> Thus spoke Sean Reifschneider
> > Starting at around 7am mountain time this morning (you know, exactly a week
> > from last Tuesday at 9am eastern time) a new Code-Red-like worm has started
> > pounding the heck out of the network. It's interesting to note that there
> > wasn't really a ramp-up time, at 7:20am or so mountain time we just
> > suddenly started getting pounded on at around 40KB/sec. New, around 2.5
> > hours later it's up to 60KB/sec.
> >
> > They're calling it "Code Rainbow":
> >
> > http://www.newsbytes.com/news/01/170225.html
>
> Ick. Why don't I see any attempts in my logs? I can see the cable modem
> data light flashing away like gangbusters, but no DENY notes in my logs.
> Have I yet *another* thing to turn on in my RH 7.1 configuration? *sigh*
Are you using ipchains or iptables (use lsmod if you use a module on
2.4.x kernel and want to know which is loaded)? Do your rules say to
log? Personally I'm seeing an average of one hit each 5 to 10 seconds,
but most of them are from just a few ip's:
209.60.35.6
209.179.196.94
209.60.71.253
209.94.17.4
209.173.167.194
209.150.214.116
209.249.102.144
As it happens, I'm using a 209.60.72.* address. See any patterns there?
I suspect the worm has a defective random IP scheme that doesn't try a
very wide range of IP's.
D. Stimits, stimits at idcomm.com
>
> --
> Michael J. Hammel |
> The Graphics Muse | I'm trying to imagine you with a personality.
> mjhammel at graphics-muse.org |
> http://www.graphics-muse.com
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list