Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 6 Aug 2001 23:40:45 -0400
From:      User & Ian Patrick Thomas <ipthomas_77@yahoo.com>
To:        freebsd-questions@freebsd.org
Subject:   Is this what the Code Red II worm does?
Message-ID:  <20010806234045.A340@localhost>

next in thread | raw e-mail | index | archive | help
	After doing an ipfw show after rebooting, I noticed the following 

00106 5 216 (T 0, # 81) ty 0 tcp, 24.49.81.9 4061 <-> 24.49.117.213 80
00106 5 216 (T 0, # 174) ty 0 tcp, 24.240.245.40 2819 <-> 24.49.117.213 80
00106 5 216 (T 0, # 198) ty 0 tcp, 24.218.162.152 3547 <-> 24.49.117.213 80

	this is the ruleset it matched

00106 43  3202 allow tcp from any to any keep-state setup

	The thing is, I didn't go to any of these sites.  In fact, I did
absolutely no surfing at all yet.  Here is what this IP, 24.240.245.40,
gives you...

 							  CHINA Government
                               fuck PoizonBOx
                       contact:sysadmcn@yahoo.com.cn

 	When I try this IP, 24.218.162.152, I get an error message saying that
too many people are trying to access this website.  Both of these seem like
symptoms of the worm.  Does this sound right?  Is this what the Code Red II
worm is supposed to do, DoS or defacement?  Just curious.

Ian


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010806234045.A340>