From owner-freebsd-questions  Tue Aug  7 14: 0:51 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from smtprelay3.adelphia.net (smtprelay3.adelphia.net [64.8.25.8])
	by hub.freebsd.org (Postfix) with ESMTP id 28D0237B68C
	for <freebsd-questions@freebsd.org>; Tue,  7 Aug 2001 13:58:46 -0700 (PDT)
	(envelope-from ipthomas_77@yahoo.com)
Received: from twin.scraemondaemon.org ([24.49.117.213]) by
          smtprelay3.adelphia.net (Netscape Messaging Server 4.15) with
          ESMTP id GHPUAM01.I02; Tue, 7 Aug 2001 16:59:10 -0400 
Received: (from ipt@localhost)
	by twin.scraemondaemon.org (8.11.3/8.11.3) id f77KuCP17620;
	Tue, 7 Aug 2001 16:56:12 -0400 (EDT)
	(envelope-from ipt)
Date: Tue, 7 Aug 2001 16:55:27 -0400
From: User & Ian Patrick Thomas <ipthomas_77@yahoo.com>
To: "f.johan.beisser" <jan@caustic.org>
Cc: freebsd-questions@freebsd.org
Subject: Re: Is this what the Code Red II worm does?
Message-ID: <20010807165527.A17579@localhost>
References: <20010806234045.A340@localhost> <Pine.BSF.4.21.0108062114590.5567-100000@pogo.caustic.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.21.0108062114590.5567-100000@pogo.caustic.org>; from jan@caustic.org on Mon, Aug 06, 2001 at 09:25:00PM -0700
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

As it was put forth by f.johan.beisser on Mon, Aug 06, 2001 at 09:25:00PM -0700...
> On Mon, 6 Aug 2001, User & Ian Patrick Thomas wrote:
> 
> >  	When I try this IP, 24.218.162.152, I get an error message saying that
> > too many people are trying to access this website.  Both of these seem like
> > symptoms of the worm.  Does this sound right?  Is this what the Code Red II
> > worm is supposed to do, DoS or defacement?  Just curious.
> 
> Code Red II is another IIS worm. it can't infect a freebsd box, but it
> will fill your httpd logs with useless data.
> 
> if a machine behind your firewall is infected, it will be scanning the
> subnets closest to it.
> 
> i would suggest having all your NT boxes checked out for virii. you should
> consider running an IDS like snort (/usr/ports/security/snort), or run
> packet analysis to see what kind of traffic is running.
> 
> other than that, i would suggest digging a bit more heavily in to the
> kinds of traffic you are expecting on this network.

	I am the network, it's just my one box.  Although I do use a cable
connection so maybe some of the other people in my area could also be
considered part of the network.  I am not currently running apache or any
other web server yet.:(  It seems that maybe some of the users in my area
have gotten infected by the worm.

Ian


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message