From owner-freebsd-questions Mon Aug 6 20:44: 3 2001 Delivered-To: freebsd-questions@freebsd.org Received: from smtprelay2.adelphia.net (smtprelay2.adelphia.net [64.8.25.7]) by hub.freebsd.org (Postfix) with ESMTP id 8B53F37B405 for ; Mon, 6 Aug 2001 20:44:01 -0700 (PDT) (envelope-from ipthomas_77@yahoo.com) Received: from twin.scraemondaemon.org ([24.49.117.213]) by smtprelay2.adelphia.net (Netscape Messaging Server 4.15) with ESMTP id GHOIE603.VXK for ; Mon, 6 Aug 2001 23:44:30 -0400 Received: (from ipt@localhost) by twin.scraemondaemon.org (8.11.3/8.11.3) id f773fPJ00368 for freebsd-questions@freebsd.org; Mon, 6 Aug 2001 23:41:25 -0400 (EDT) (envelope-from ipt) Date: Mon, 6 Aug 2001 23:40:45 -0400 From: User & Ian Patrick Thomas To: freebsd-questions@freebsd.org Subject: Is this what the Code Red II worm does? Message-ID: <20010806234045.A340@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG After doing an ipfw show after rebooting, I noticed the following 00106 5 216 (T 0, # 81) ty 0 tcp, 24.49.81.9 4061 <-> 24.49.117.213 80 00106 5 216 (T 0, # 174) ty 0 tcp, 24.240.245.40 2819 <-> 24.49.117.213 80 00106 5 216 (T 0, # 198) ty 0 tcp, 24.218.162.152 3547 <-> 24.49.117.213 80 this is the ruleset it matched 00106 43 3202 allow tcp from any to any keep-state setup The thing is, I didn't go to any of these sites. In fact, I did absolutely no surfing at all yet. Here is what this IP, 24.240.245.40, gives you... CHINA Government fuck PoizonBOx contact:sysadmcn@yahoo.com.cn When I try this IP, 24.218.162.152, I get an error message saying that too many people are trying to access this website. Both of these seem like symptoms of the worm. Does this sound right? Is this what the Code Red II worm is supposed to do, DoS or defacement? Just curious. Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message