Latest CodeRed variant lacks built in obsolescence. Same old tricks with moderate-to-low risk worm [The Register] Saw a couple hits in the web server log yesterday: GET /default.ida followed by a slew of NNNNNNN’s. If you didn’t see hits in your logs (you do read your logs daily, don’t you?), perhaps you’d better check to make sure you’re not infected.
188.8.131.52 – France, ADSL
184.108.40.206 – Taiwan
220.127.116.11 – Digital Solutions, San Jose
and on the second day,
18.104.22.168 – a customer of DataPipe of Hoboken, NJ
22.214.171.124 – a customer of HSE, Kingston, Ontario, Canada
126.96.36.199 – a repeat, from above. Five times.
188.8.131.52 – XO Communications, seven times.
184.108.40.206 – Bell Nexxia, Toronto, Ontario, Canada
220.127.116.11 – SBC Internet of Meriden, CT
So, I went from three to sixteen attacks in a single day. Hysterial media would predict the end of the world by the end of the week. Me, I think I’ll just send email to the abuse aliases for the clients I can find.
Thanks to the ARIN WhoIs for the lookups.