Latest CodeRed variant lacks built in obsolescence. Same old tricks with moderate-to-low risk worm [The Register] Saw a couple hits in the web server log yesterday: GET /default.ida followed by a slew of NNNNNNN’s. If you didn’t see hits in your logs (you do read your logs daily, don’t you?), perhaps you’d better check to make sure you’re not infected.
126.96.36.199 – France, ADSL
188.8.131.52 – Taiwan
184.108.40.206 – Digital Solutions, San Jose
and on the second day,
220.127.116.11 – a customer of DataPipe of Hoboken, NJ
18.104.22.168 – a customer of HSE, Kingston, Ontario, Canada
22.214.171.124 – a repeat, from above. Five times.
126.96.36.199 – XO Communications, seven times.
188.8.131.52 – Bell Nexxia, Toronto, Ontario, Canada
184.108.40.206 – SBC Internet of Meriden, CT
So, I went from three to sixteen attacks in a single day. Hysterial media would predict the end of the world by the end of the week. Me, I think I’ll just send email to the abuse aliases for the clients I can find.
Thanks to the ARIN WhoIs for the lookups.