From owner-freebsd-questions  Mon Aug  6 21:25: 6 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from pogo.caustic.org (caustic.org [64.163.147.186])
	by hub.freebsd.org (Postfix) with ESMTP id E4E8437B405
	for <freebsd-questions@FreeBSD.ORG>; Mon,  6 Aug 2001 21:25:02 -0700 (PDT)
	(envelope-from jan@caustic.org)
Received: from localhost (jan@localhost)
	by pogo.caustic.org (8.11.0/ignatz) with ESMTP id f774P1v27082;
	Mon, 6 Aug 2001 21:25:01 -0700 (PDT)
Date: Mon, 6 Aug 2001 21:25:00 -0700 (PDT)
From: "f.johan.beisser" <jan@caustic.org>
To: User & Ian Patrick Thomas <ipthomas_77@yahoo.com>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: Is this what the Code Red II worm does?
In-Reply-To: <20010806234045.A340@localhost>
Message-ID: <Pine.BSF.4.21.0108062114590.5567-100000@pogo.caustic.org>
X-Ignore: This statement isn't supposed to be read by you
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Mon, 6 Aug 2001, User & Ian Patrick Thomas wrote:

>  	When I try this IP, 24.218.162.152, I get an error message saying that
> too many people are trying to access this website.  Both of these seem like
> symptoms of the worm.  Does this sound right?  Is this what the Code Red II
> worm is supposed to do, DoS or defacement?  Just curious.

Code Red II is another IIS worm. it can't infect a freebsd box, but it
will fill your httpd logs with useless data.

if a machine behind your firewall is infected, it will be scanning the
subnets closest to it.

i would suggest having all your NT boxes checked out for virii. you should
consider running an IDS like snort (/usr/ports/security/snort), or run
packet analysis to see what kind of traffic is running.

other than that, i would suggest digging a bit more heavily in to the
kinds of traffic you are expecting on this network.

-- jan

-------/ f. johan beisser /--------------------------------------+
  http://caustic.org/~jan                      jan@caustic.org
   "if my thought-dreams could be seen..
       "they'd probably put my head in a gillotine"
	     -- Bob Dylan


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message