From owner-freebsd-questions  Sun Aug  5 17:35:51 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from grumpy.dyndns.org (user-24-214-76-217.knology.net [24.214.76.217])
	by hub.freebsd.org (Postfix) with ESMTP id 3501F37B401
	for <questions@FreeBSD.ORG>; Sun,  5 Aug 2001 17:35:47 -0700 (PDT)
	(envelope-from dkelly@grumpy.dyndns.org)
Received: from localhost (localhost [127.0.0.1])
	by grumpy.dyndns.org (8.11.3/8.11.3) with ESMTP id f760Zkx30388
	for <questions@FreeBSD.ORG>; Sun, 5 Aug 2001 19:35:46 -0500 (CDT)
	(envelope-from dkelly@grumpy.dyndns.org)
Message-Id: <200108060035.f760Zkx30388@grumpy.dyndns.org>
X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4
To: questions@FreeBSD.ORG
From: David Kelly <dkelly@hiwaay.net>
Subject: Re: Code Red 2 - (was : Attempted Buffer Overrun in via httpd? ) 
In-reply-to: Message from rshea@opendoor.co.nz 
   of "Mon, 06 Aug 2001 10:28:21 +1200." <20010805222826.9412F1FA2A9@deborah.paradise.net.nz> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sun, 05 Aug 2001 19:35:46 -0500
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

rshea@opendoor.co.nz writes:
> Although Code Red is old news (hopefully) to everyone with IIS machines in 
> their network I would just point out that in the last 36 hours a so called Code 
> Red II has arisen (if you look in your logs you'll see that some of the 
> default.ida attempts now have a padding of 'X' rather than 'N'). It has a much 
> nastier effect and rebooting ain't going to fix it. Once again the June 18 IIS 
> patch will avoid infection ...

Is getting bad as on Aug 1 there was an average of 1 per hour on each of
my work and home firewalls were there are no web servers. In the last
day it has escalated to one every 5 minutes or so. Had a few on July 19.

Normally I see a single poke on port 80 about once per week. Code Red 
apparently pokes 3 times before moving on.

-- 
David Kelly N4HHE, dkelly@hiwaay.net
=====================================================================
The human mind ordinarily operates at only ten percent of its
capacity -- the rest is overhead for the operating system.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message