Phil if I have posted this in the wrong section please feel free to move it!!

Well this could be why!!

http://www.dslreports.com/forum/remark,1224882;root=security,1;mode=flat

Sorry if you guys already know, but done some testing with my packet snifter and their correct loads of ARP Traffic!!

PS NTL customers in the UK just read a posting on there News group that a NTL Proxy @ Nottingham could be infected by “code red”

One of the OCN crew ("todays") has reported hits I notice.

http://forums.overclockers-network.com/cgi-bin/ultimatebb.cgi?ubb=get_topic&f=6&t=004973

WoW! I am being slammed! It's been going on for hours now.

It's the code red virus...you are OK if you ain't running IIS under Windows.

Being hit all the time on port 80 for the last few days. Did you hear Microsofts update page got whacked. (After they had already released the patch.:D ) I wonder if it will reach a critical mass or if people will wake up and put in the patch.

BTW may be old news to some but look here (http://www.attrition.org/mirror/attrition/) (Not about code red but look around at the stats on this page and annual stats. NT up over 50 % of the hacks.

Hmmm, my cable modem's lites have been going even with the lan unplugged.

What ports is this coming fom? I'd like to block it if its not already.

my ports 21, 23, and 80 are blocked(hardware firewall), among others (but not all)

My modem lite is going crazy too. Please clarify in laywomens terms.

Originally posted by siggy
My modem lite is going crazy too. Please clarify in laywomens terms.

All it is looking for is unpatched webservers running Microsoft IIS server that came with win 2k/nt. Itsends out requests at the 80 http. See Here (http://www.symantec.com/avcenter/venc/data/codered.worm.html) and here (http://www.symantec.com/avcenter/security/Content/2001_07_31.html) for more info

I have Windows ME. Should I have something to worry about?

Siggy no problem 4U:D:D

Originally posted by siggy
I have Windows ME. Should I have something to worry about?

Nope, you won't have any prob. with code red. Just every so often use the update function and you should not have any problems. You can also look here (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/current.asp?productid=19&servicepackid=0) for information on security patches for me. But most if not all will be at the update site. For any version of windows or other microsoft products just check this page (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/current.asp) and chose the product. And make sure you keep your antivirus up to date.

Kool...I updated the antivirus.......

The light is still going steady. It has been like that ALL day.

Looks like we have another variant. We are up to code red 3. The first one just attacked the White house server. This one is making zombies. Still getting peppered hard. I'm up to about 200 hits today.

Originally posted by MechCD
Hmmm, my cable modem's lites have been going even with the lan unplugged.

What ports is this coming fom? I'd like to block it if its not already.

my ports 21, 23, and 80 are blocked(hardware firewall), among others (but not all)

All attacks against my computer appear to be TCP packets arriving on 80 and 119. About 100 an hour since I noticed this morning.

There is one constant on mine. Almost all of the packets are coming from the same server at KOS.net

KOS.net just happens to be one of the local ISPs. How much you want to bet it's an NT server :)

I'm awefull tempted to trash it, but that would be illegal :) Can't have that now :D

Originally posted by Rick_Deadly
There is one constant on mine. Almost all of the packets are coming from the same server at KOS.net

KOS.net just happens to be one of the local ISPs. How much you want to bet it's an NT server :)

I'm awefull tempted to trash it, but that would be illegal :) Can't have that now :D

Warped thought. News paper article: New computer age vigilante breaks in to computers to fix red code virus. Since the new one leaves a hole in the server run the patch and reboot it. I know some are just unaware and some will not apply any patch until it has been fully tested on test systems, but this one would seem to be an exception.

Code Red II worm started late last night. Here is what the orginal looks like:

2001-08-04 03:20:21 61.72.94.62 - 192.168.1.100 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u 9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 90%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078 %u0000%u00=a 200 -

Here is the new variant:

2001-08-06 00:07:38 63.204.174.82 - 192.168.1.100 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u 9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 90%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078 %u0000%u00=a 200 -

Lets be real clear here... Unpatched IIS 4 and IIS 5 servers can spread the attack. Patched machines are not affected. The orginal worm unpacks and begins a random IP generation-search. These searches affect EVERY Web server with port 80 open. Port 80 is not the only port being exploted. The requests are showing up in everyone's log files.

Code Red II is more virulent. It is leaving a "back door" open and that back door is hooked to the root command. My logs are filling up faster than the first time. This new worm is way more active than the first.

Yep just read this…:eek:
http://www.theregister.co.uk/content/4/20841.html

PS thanks Will:)

Aww, shit (pardon language)!

Last night i got a DoS attack. Everything was out, wasn't just me either, buddy that lives 4 miles away (same service)

Dnar would rember that last night (afternoon fo him?) I was getting kicked regulaly while i sat there and whatched arse loads of packets stream into my router and die fromt he filters. I had somewhere around 500000packets in 30minutes. I wasn't transmitting either, it wouldn't go out, or it went out and i couldn't receive.

Does Code Red 2 and 3 affect Linux or Win98se?

i know 1 only affected IIS servers

Originally posted by wbierman
Code Red II worm started late last night. Here is what the orginal looks like:



2001-08-04 03:20:21 61.72.94.62 - 192.168.1.100 80 GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u 9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 90%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078 %u0000%u00=a 200 -



Here is the new variant:



2001-08-06 00:07:38 63.204.174.82 - 192.168.1.100 80 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u 9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 90%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078 %u0000%u00=a 200 -



Lets be real clear here... Unpatched IIS 4 and IIS 5 servers can spread the attack. Patched machines are not affected. The orginal worm unpacks and begins a random IP generation-search. These searches affect EVERY Web server with port 80 open. Port 80 is not the only port being exploted. The requests are showing up in everyone's log files.



Code Red II is more virulent. It is leaving a "back door" open and that back door is hooked to the root command. My logs are filling up faster than the first time. This new worm is way more active than the first.

dangit, last night..... Linux box was up.... port 22 open (rsh) dangit majorly. I don't think i got anything, cuz I'm not transmitting anything other than regular web stuff.

What ports other than 80 are affected? 21 (ftp)maybe? 23(telnet)? pop3 port?

Yesterday, tripod's FTP was blowin chunks, it never does. I think iwas getting pinged by it too. Pinged on port 80 which is blocked :) Looks like tripod has some problems on their hands :). it might be fixed today though.

Check this Web site out. It details everything about Code Red.

http://www.dshield.org

I've got a DSL connection (24/7 connection) plus a hardware firewall. My firewall has been going down pretty regularly -- so I figure Code Red is giving me a DoS attack. I talked to tech support an they made the following suggestion -- which I think is simply brilliant.

My firewall has a "visible computer" (more commonly called DMZ) which I had set to disabled -- since I don't presently have a website of my own. (I don't trust my Win98 -- and now I obviously won't be trusting Win2K when I start running it.) Anyway, they suggested I enable Visible Computer and set it to 192.168.10.xxx -- the address of a nonexistent LAN computer. I don't know all the details of NAT, but I guess passing it on and letting it time-out on my LAN is better than making the firewall respond with whatever it passes back when the option is disabled (nak?).

good call bruce, i do this with my LinkSys:D