[aclug-L] Re: Hacker or ??

[Maverick <mluvw47@xxxxxxxxx>]

Is that a code blue or code red III virus attack? I
found out my work area, the code blue worm clog up
this kind of traffic problem, but I don't know for
sure. I am going into the deja newsgroup see what is
going on...

Mav
--- "gLaNDix (Jesse Kaufman)" <glandix@xxxxxxxxxxxxxx>
wrote:
> 
> On 18 Sep 2001 14:34:32 -0500, Steven Saner wrote:
> > 
> > It appears that an infected machine will scan all
> of the addresses in
> > the class A or B netblock that they are in.
> 
> yeah, that's correct...  i tho't about that as soon
> as i stepped out the
> door! : ^ )  it seems to act the same as CRI/II ...
> all my hits were
> from 2*.*, but most were from 24.* ... so far, all
> my hits of this new
> stuff are from 24.* ... so in otherwords, don't
> follow my previous
> directions unless you're on RR and have a 24.* ip
> address! : ^ )
> 
> anyone bored enuf to write a (i think it would be)
> simple perl script
> that would scan the httpd-access.log file and do an
> nslookup on all the
> IPs associated w/ the ...cmd.exe... request and plop
> them in a nice
> file?  would make reporting incidents like this a
> lot simpler, 'cause
> you could see (or atleast be able to guess) which
> net block owner to
> report to...
> 
> > Maybe they will expand out
> > from there later.
> 
> geez, let's hope not!!!
> 
> > It also appears that it isn't
> > uncommon to be hit several times by a specific
> host.
> 
> yeah, the log entries are very similar to the CRII
> entries i had, but w/
> a different request...  and it seems to me like each
> hit is slightly
> different than the other... eg: "GET
> /scripts/..%252f../...." but the
> prev from the same host is "GET
> /scripts/..%25%35%63../...."
> 
> > On one web server
> > I have received around 5000 hits from about 150
> hosts since 3:00am. It
> > really hasn't affected performance much, so I'm
> not too worried about
> > it... yet.
> 
> i haven't really noticed it all that much either,
> but i need to go back
> in my logs and actually see when it started... 
> fortunately this time,
> i've only got one of my ip's used, so i'm only
> getting hits on one
> machine (thank you NATd!) instead of 2 last time... 
> unless i'm wrong in
> my assumption, that should cut the amount of traffic
> in half, thus
> affecting my peformance about 1/2 as much...  right?
> 
> oh, and btw... sorry for reposting the entire
> long-@ss thread last time.. was in a hurry to get to
> class and forgot to cut out the crap! : ^ )
> 
> gLaNDix
> 
> -- This is the discussion@xxxxxxxxx list.  To
> unsubscribe,
> visit
>
http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> 


__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/
-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi