[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Code red II propagation.
- To: "'Yotam Rubin'" <yotam(at-nospam)makif.omer.k12.il>, <linux-il(at-nospam)linux.org.il>
- Subject: RE: Code red II propagation.
- From: "Haim Gelfenbeyn" <rnews(at-nospam)hageltech.com>
- Date: Sun, 5 Aug 2001 16:54:23 +0300
- Delivered-To: linux.org.il-linux-il@linux.org.il
- Importance: Normal
- In-Reply-To: <20010805163452.A773@insomia17>
- Organization: Hagel Technologies
- Reply-To: <haim(at-nospam)hageltech.com>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
Yotam,
I think you meant "backdoor" and not "trojan". Now, if you already know
that, why are you posting list of compromised servers? To make it easy
even for script kiddies who do not access to web server logs?
And by the way, on my ADSL-connected linux box I have 216 "Code Red II"
attacks since yesterday. About half of these are from Israel, and others
are mainly from Italy, Turkey and France.
And on my U.S.-hosted box I already stopped counting, since the number
is huge (partly because it's a box that hosts several web sites, thus
many IPs).
And I know one company that decided to move its web server to Linux
finally, after they got infected by this worm...
Haim.
> -----Original Message-----
> From: linux-il-bounce@cs.huji.ac.il
> [mailto:linux-il-bounce@cs.huji.ac.il] On Behalf Of Yotam Rubin
> Sent: Sunday, August 05, 2001 4:35 PM
> To: linux-il@linux.org.il
> Subject: Code red II propagation.
>
>
> Greetings,
>
> With the new worm out there, also known as Code Red II
> it is very
> easy to determine which hosts in Israel are infected. Just
> for the sake
> of gloating, I've provided the following list of infected
> hosts in Israel:
> (Obviously, this is far from definitive, this is only what
> appears in my logs)
> 192.117.120.98
> 192.117.135.213
> 192.117.138.34
> 192.117.138.36
> 192.117.140.211
> 192.117.150.250
> 192.117.153.52
> 192.117.160.35
> 192.117.166.25
> 192.117.169.195
> 192.117.172.214
> 192.117.188.211
> 192.117.188.245
> 192.117.234.165
> 192.117.234.185
> 192.117.234.191
> 192.117.234.232
> 192.117.234.240
> 192.117.234.91
>
> I think we can determine the approximate number of infected
> hosts in Israel
> with enough data, what are you seeing?
> Oh yeah, BTW, the new worm also leaves a nice little trojan
> on the infected
> host so any little script kiddie can just grep his logs and
> find machines
> to abuse.
>
> Regards, Yotam Rubin
>
> =================================================================
> To unsubscribe, send mail to linux-il-request@linux.org.il with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail linux-il-request@linux.org.il
>
>
>
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il