Latest CodeRed variant lacks built in obsolescence. Same old tricks with moderate-to-low risk worm [The Register] Saw a couple hits in the web server log yesterday: GET /default.ida followed by a slew of NNNNNNN’s. If you didn’t see hits in your logs (you do read your logs daily, don’t you?), perhaps you’d better check to make sure you’re not infected.
62.212.113.49 – France, ADSL
61.222.207.187 – Taiwan
64.35.166.213 – Digital Solutions, San Jose
and on the second day,
64.106.162.220 – a customer of DataPipe of Hoboken, NJ
64.229.11.167 – a customer of HSE, Kingston, Ontario, Canada
64.35.166.213 – a repeat, from above. Five times.
64.35.112.148 – XO Communications, seven times.
64.231.108.158 – Bell Nexxia, Toronto, Ontario, Canada
64.252.199.131 – SBC Internet of Meriden, CT
So, I went from three to sixteen attacks in a single day. Hysterial media would predict the end of the world by the end of the week. Me, I think I’ll just send email to the abuse aliases for the clients I can find.
Thanks to the ARIN WhoIs for the lookups.