[Plug-security] Code Red Traffic
foodog
plug-security@lists.PLUG.phoenix.az.us
Wed, 03 Oct 2001 04:17:15 -0700
I (conveniently) assume that if boxes are still infected with Code Red
and/or Nimda they don't have an administrator. I believe kiddies will
eventually convert most of the laggards into warez and IRC servers, at
which point they'll have an administrator of sorts. :-/
Most of the hits I get now are from universities in Taiwan, YSMV (your
subnet may vary). If it's from a node within walking distance I pay
them a visit, but it's been a couple of weeks since that happened. I
keep those encounters brief:
"Hi, you have xx.xx.xx.xx in here? It's infected with <current
plague>.
You need to unplug it now, until it gets disinfected and patched.
Thanks! <smile>."
<stand there until the network cable comes out; final friendly wave>
Steve
Scott Gerlach wrote:
>
> Looking through my webserver logs, I've noticed a lot of Code Red traffic
> hitting my box as follows
>
> <<...OLE_Obj...>>
>
> Although my Linux server does not contain this vulnerability :), I was
> wondering anybody is notifying administrators of such traffic originating
> from their IP range and if so, what would you say to said admins.
>
> Thanks,
> Scott Gerlach
> Information Systems Manager
> Kyocera Solar Inc.
> "Quis custodiet ipsos custodes"
>
>
>
> _______________________________________________
> Plug-security mailing list - Plug-security@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-security