CR worm infection attempts

Thomas Mondoshawan Tate plug-discuss@lists.PLUG.phoenix.az.us
Sun, 5 Aug 2001 12:37:42 -0700


--HlL+5n6rz5pIUxbD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

No kidding. I just read your listing and decided to check out my webserver's
logs just for fun. Whoo... I've only had my server up for less than 11
hours, and I've already had 113 hits from that little bugger. O.o

-- Mondoshawan

On Sun, Aug 05, 2001 at 12:24:40PM -0700, jiva@opnix.com wrote:
> Mind you, this is unique infections *per hour*.  I've had well over
> 1000 attempts in the last 24 hours.
>=20
> On Sun, Aug 05, 2001 at 12:17:20PM -0700, Jiva DeVoe wrote:
> > Here's some fun things... I wrote a little script to watch the rate of
> > attempted infection of my box.  The first column is the Day, the
> > second column(after the colon) is the hour, and the last column is the
> > number of times code-red tried to infect me:
> >=20
> > jiva@bart:/var/log/apache$ grep -i default
> > /var/log/apache/access.log.0 access.log | ~/code.rb=20
> > 01:05 1
> > 01:08 3
> > 01:09 1
> > 01:10 4
> > 01:11 1
> > 01:12 2
> > 01:13 3
> > 01:14 2
> > 01:15 1
> > 01:16 1
> > 01:17 1
> > 01:18 2
> > 01:20 2
> > 01:21 2
> > 01:22 1
> > 01:23 2
> > 02:00 4
> > 02:01 3
> > 02:02 3
> > 02:04 4
> > 02:06 2
> > 02:07 3
> > 02:09 4
> > 02:10 1
> > 02:11 1
> > 02:13 2
> > 02:14 3
> > 02:15 1
> > 02:16 2
> > 02:17 3
> > 02:19 5
> > 02:20 1
> > 02:21 2
> > 02:23 1
> > 03:00 2
> > 03:02 1
> > 03:03 2
> > 03:04 1
> > 03:06 1
> > 03:07 3
> > 03:10 2
> > 03:11 2
> > 03:13 1
> > 03:16 2
> > 03:18 1
> > 03:22 2
> > 04:00 2
> > 04:01 1
> > 04:02 5
> > 04:03 1
> > 04:04 2
> > 04:05 10
> > 04:06 20
> > 04:07 19
> > 04:08 19
> > 04:09 29
> > 04:10 33
> > 04:11 37
> > 04:12 25
> > 04:13 34
> > 04:14 31
> > 04:15 24
> > 04:16 30
> > 04:17 40
> > 04:18 33
> > 04:19 49
> > 04:20 26
> > 04:21 34
> > 04:22 39
> > 04:23 23
> > 05:00 30
> > 05:01 37
> > 05:02 22
> > 05:03 34
> > 05:04 20
> > 05:05 24
> > 05:06 22
> > 05:07 24
> > 05:08 29
> > 05:09 35
> > 05:10 39
> > 05:11 49
> > 05:12 6
> >=20
> >=20
> > On Sun, Aug 05, 2001 at 11:38:00AM -0700, Wayne Conrad wrote:
> > > It's working.  Everyone's taking a breather from that last round of m=
essages (whew).  Or tailing Apache logs watching the new looks-like-CR-but-=
isn't worm.  Fun for the whole family.
> > >   Wayne
> > > ________________________________________________
> > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn=
't post to the list quickly and you use Netscape to write mail.
> > >=20
> > > PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >=20
>=20
> --=20
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't p=
ost to the list quickly and you use Netscape to write mail.
>=20
> PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

--HlL+5n6rz5pIUxbD
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7baCGYp5mUsPGjjwRAonPAKCtTiF4XqNtQY5ePj07NnZDCkwfOACglVKG
JVXdwAyZE4CUORCfVLAAgBM=
=o7J+
-----END PGP SIGNATURE-----

--HlL+5n6rz5pIUxbD--