PDA

Click to See Complete Forum and Search --> : ALOT(1000's) of strange IP's on my hitlist??

bruce1271
09-12-2001, 05:11 PM
Hi, I am looking at my access log file and I see alot of IP's. Only my family knows about my web site, so I find this really strange.

It almost seems like my local subnet is accessing my server on every connection to the net.

any clue as to what this might be??

Here are a few examples..

09`Sep`3174`03`14`02`ne.mediaone.net (24.128.172.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`03`15`59`unresolved (24.128.13.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`03`21`07`ne.mediaone.net (24.128.221.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`03`23`11`vc.shawcable.net (24.78.145.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`03`27`02`unresolved (24.128.13.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`03`58`02`ne.mediaone.net (24.128.101.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`04`12`20`ne.mediaone.net (24.128.182.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`04`22`26`225-203-24.hull.mc.videotron.ca (24.203.225.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`04`24`27`ne.mediaone.net (24.128.172.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`04`28`43`ne.mediaone.net (24.128.172.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`04`35`13`ne.mediaone.net (24.128.172.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`04`41`53`houston.rr.com (24.242.145.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`04`55`11`sanbruno.ispchannel.com (24.246.10.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`05`04`21`cg.shawcable.net (24.68.221.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`05`17`25`ne.mediaone.net (24.128.205.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`05`25`39`ne.mediaone.net (24.128.221.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`05`27`36`ne.mediaone.net (24.128.205.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`05`43`49`dsl.mindspring.com (165.247.33.xxx)`Code 401 Unauthorized = /`-`Other Agent (Unknown Platform)
09`Sep`3174`05`52`53`ne.mediaone.net (24.128.182.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`06`07`37`ne.mediaone.net (24.128.182.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`06`13`10`unresolved (24.128.13.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`06`18`38`ne.mediaone.net (24.128.185.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`06`31`38`111.234.24.lvcm.com (24.234.111.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`06`34`59`unresolved (24.128.13.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`06`47`00`mntp1.il.home.com (24.183.44.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`06`52`16`ne.mediaone.net (24.128.101.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`06`53`06`unresolved (24.128.13.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`06`59`54`ne.mediaone.net (24.128.185.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`07`08`16`ne.mediaone.net (24.128.182.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`07`14`08`mn.rr.com (24.26.191.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`07`16`56`ne.mediaone.net (24.128.101.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`07`19`13`106-200-24.mtl.mc.videotron.ca (24.200.106.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`07`31`29`unresolved (211.225.221.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`07`32`19`ne.mediaone.net (24.128.182.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`07`52`30`ne.mediaone.net (24.128.182.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`08`15`04`ne.mediaone.net (24.128.205.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`08`56`21`ne.mediaone.net (24.128.205.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`09`06`16`ne.mediaone.net (24.128.236.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`09`24`42`neo.rr.com (24.166.112.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`09`27`58`na.21stcentury.net (24.148.49.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`09`28`25`ne.mediaone.net (24.128.221.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (Unknown Platform)
09`Sep`3174`09`41`18`ne.mediaone.net (24.128.78.xxx)`Code 401 Unauthorized = /default.ida`-`Other Agent (
element-x
09-12-2001, 05:26 PM
CodeRed, if your web server is a windows machine you may be vulnerable, but (I've been told this is correct) that Linux/BSD/Unix aren't affected, other than by the amount of traffic generated by the requests. So basically a slow-down.

I had somewhere in the range of 10,000 unique CodeRed requests over the month of August. I would have had more, but my ISP began filtering port 80 begining August 22nd or so.
bruce1271
09-13-2001, 08:51 AM
What exactly is a CodeRed?? How Can I stop this?? how are people trying to access my server?? I mean, is it inteneded or a broadcast over all subnets of my IP?? Any links you know of that can explain this to me?

Thanks
Craig McPherson
09-13-2001, 09:11 AM
Code Red is a worm that's been going around very heavily. It's mostly passed, though. It attacks every computer on the same subnet as the infected machine.

It's an IIS worm. You don't have anything to worry about. But you should try to contact the owners of these infected machines and let them know what's going on -- or log into their machines through the backdoor that Code Red installs and format their hard drives.

Either way, they won't bother you anymore.
bruce1271
09-13-2001, 09:43 AM
Craig,

My server stopped working for ~ 3 weeks but now it works again(Meaning people can see my website over the net. I could see it on my LAN all the time.). Is this why?? ATT blocked port 80 because of this?
I am still getting hit today, no problems though??

Thanks
Craig McPherson
09-13-2001, 10:38 AM
AT&T started filtering out port 80 connections onto their network because of Code Red. I'm surprised you haven't heard about it; it was on the front page of most newspapers because the first version of it was coded to ping-flood the White House "COMPUTER HACKERS TAKE SEIZE OF THE INTERNET AND DESTROY GOVERNMENT COMPUTER SYSTEMS" (I hate media headlines), that sort of thing.

Although most infected systems have been fixed by now, some (many) still exist. It's subsided enough for AT&T to unblock port 80, but I've heard they might have blocked it again -- I dunno.

All those systems connected to your box are infected with Code Red and are attempting to connect to random systems. If you type the IPs into a web browser, you'll probably find somebody's webpage: if you could notify that they're infected, you'd probably rack up some karma.