Go Back  DVD Talk Forum > General Discussions > Tech Talk
Reload this Page >

Firewall log decoding help/Code Red/multiple hits...

Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

Firewall log decoding help/Code Red/multiple hits...

Old 08-05-01, 02:25 AM
  #1  
DVD Talk Hall of Fame
Thread Starter
 
Join Date: Jan 2000
Location: US
Posts: 9,631
Likes: 0
Received 0 Likes on 0 Posts
Firewall log decoding help

Normally there is very little activity on my cable modem, and resultingly, on the router log. Today, I have seen non stop activity on the lights for the modem and firewall. Pulling up the log, I see (just a sampling, the log is longer, although the amount of activity has it only holding the past 4 hours or so):
08/04/2001 21:39:16 Unrecognized access from 24.177.35.19:3437 to TCP port 80
08/04/2001 21:39:19 Unrecognized access from 24.177.35.19:3437 to TCP port 80
08/04/2001 21:39:25 Unrecognized access from 24.177.35.19:3437 to TCP port 80
08/04/2001 21:42:08 Unrecognized access from 24.6.206.194:1281 to TCP port 80
08/04/2001 21:42:11 Unrecognized access from 24.6.206.194:1281 to TCP port 80
08/04/2001 21:42:17 Unrecognized access from 24.6.206.194:1281 to TCP port 80
08/04/2001 21:46:16 Unrecognized access from 24.182.66.79:3006 to TCP port 80
08/04/2001 21:46:19 Unrecognized access from 24.182.66.79:3006 to TCP port 80
08/04/2001 21:46:25 Unrecognized access from 24.182.66.79:3006 to TCP port 80
08/04/2001 21:49:09 Unrecognized access from 24.182.163.121:4530 to TCP port 80
08/04/2001 21:49:12 Unrecognized access from 24.182.163.121:4530 to TCP port 80
08/04/2001 21:49:18 Unrecognized access from 24.182.163.121:4530 to TCP port 80
08/04/2001 21:52:01 Unrecognized access from 24.182.46.81:3786 to TCP port 80
08/04/2001 21:52:04 Unrecognized access from 24.182.46.81:3786 to TCP port 80
08/04/2001 21:52:10 Unrecognized access from 24.182.46.81:3786 to TCP port 80
08/04/2001 21:52:38 Unrecognized access from 24.182.197.223:4096 to TCP port 80
08/04/2001 21:52:41 Unrecognized access from 24.182.197.223:4096 to TCP port 80
08/04/2001 21:52:47 Unrecognized access from 24.182.197.223:4096 to TCP port 80
08/04/2001 21:59:30 Unrecognized access from 24.182.109.112:1245 to TCP port 80
08/04/2001 21:59:33 Unrecognized access from 24.182.109.112:1245 to TCP port 80
08/04/2001 21:59:39 Unrecognized access from 24.182.109.112:1245 to TCP port 80
08/04/2001 22:06:52 Unrecognized access from 24.182.106.135:2316 to TCP port 80
08/04/2001 22:06:55 Unrecognized access from 24.182.106.135:2316 to TCP port 80
08/04/2001 22:07:01 Unrecognized access from 24.182.106.135:2316 to TCP port 80
08/04/2001 22:12:08 Unrecognized access from 24.182.109.112:4351 to TCP port 80
08/04/2001 22:12:11 Unrecognized access from 24.182.109.112:4351 to TCP port 80
08/04/2001 22:13:44 Unrecognized access from 24.182.163.121:1388 to TCP port 80
08/04/2001 22:13:47 Unrecognized access from 24.182.163.121:1388 to TCP port 80
08/04/2001 22:13:53 Unrecognized access from 24.182.163.121:1388 to TCP port 80
08/04/2001 22:14:25 Unrecognized access from 24.182.109.112:4603 to TCP port 80
08/04/2001 22:14:28 Unrecognized access from 24.182.109.112:4603 to TCP port 80
08/04/2001 22:15:38 Unrecognized access from 24.169.94.224:4388 to TCP port 80
08/04/2001 22:27:40 Unrecognized access from 212.236.109.67:3895 to TCP port 80
08/04/2001 22:27:43 Unrecognized access from 212.236.109.67:3895 to TCP port 80
08/04/2001 22:58:29 Unrecognized access from 199.217.138.86:4784 to TCP port 80
08/04/2001 22:58:32 Unrecognized access from 199.217.138.86:4784 to TCP port 80
08/05/2001 00:10:34 Unrecognized access from 24.254.60.18:110 to TCP port 36536

I cut and paste a few spots showing different port activity and IP's. Checking thru the IP's, they are almost exclusively @home and roadrunner, from all over the country. Anyone have an idea what this is? Thanks

Dave
Old 08-05-01, 08:33 AM
  #2  
Member
 
Join Date: Feb 1999
Location: Oklahoma
Posts: 225
Likes: 0
Received 0 Likes on 0 Posts
Dave,

This is so weird that you say this. Last night a friend of mine called and asked if my activity light was on alot and I told him yes, it is like I am downloading a big file or something. I am on Roadrunner and so is he.
I called our customer service and they could tell me nothing except some other people have called and complained about it. I gave him some of the ip address from my firewall log. He said he would have someone check it out. I had my computer on from about 10 in the moring till about 9 last night and had logged over 350 blocks by my firewall. I usually average about 10.
This morning my light is still going crazy. It doesn't seem to make my download speed any slower, so I am not sure what is going on.
Oh and just for reference. I live in Oklahoma City.

Judy
Old 08-05-01, 10:54 AM
  #3  
Member
 
Join Date: Aug 1999
Posts: 83
Likes: 0
Received 0 Likes on 0 Posts
code red

more info here -> Microsoft Security Bulletin MS01-033

you shouldn't worry about it unless you're using Windows 2000 or XP
Old 08-05-01, 11:09 AM
  #4  
Cool New Member
 
Join Date: Jul 2000
Location: Fishers, IN, US
Posts: 23
Likes: 0
Received 0 Likes on 0 Posts
This is Code Red

Since the MS security bulletin isn't being obvious about the problem, as usual, look at some other news sources for info on this one.

Those machines trying to access your IP address on port 80 are all infected with Code Red. If you are running ANY version of a Microsoft web server, whether you're running NT, 2K, or XP, you need to download this patch. I haven't seen any info on whether or not it can infect Personal Web server running on 9X, but since it isn't mentioned in the bulletin, I would assume not.

If you think you might be infected, the first thing you need to do is reboot your web server. That gets the code out ouf memory. Then apply the patch, and you should be good to go.

I'm on @Home and my firewall is picking up a ton of @Home IPs trying to hit anything listening on port 80. I think a lot of home users didn't realize this would affect them, since the news reports were mainly concentrating on how it was going to "take down the Internet" and infect business web servers without explaining it will infect ANY copy of IIS it can find, no matter what it is running on.

Toni
MCSE (for all the credibility that gives me) :-)
Old 08-05-01, 04:40 PM
  #5  
DVD Talk Hall of Fame
Thread Starter
 
Join Date: Jan 2000
Location: US
Posts: 9,631
Likes: 0
Received 0 Likes on 0 Posts
I didn't really think of code red, since as mentioned it is mostly a problem with webservers, and didn't think many users of @home and roadrunner would run that. I haven't really looked much at how code red propogates, does it scan only a certain range of ip's that are close to infected server? It seems a bit strange to be getting hits only from @home and road runner. As of now the volume of hits is down quite a bit, the logfile hasn't rolled over since early this morning.

Dave
Old 08-06-01, 02:27 AM
  #6  
Stealth Moderator
 
namja's Avatar
 
Join Date: Oct 1999
Location: In Transit, HQ
Posts: 25,038
Received 15 Likes on 8 Posts
Originally posted by Janai
I had my computer on from about 10 in the moring till about 9 last night and had logged over 350 blocks by my firewall. I usually average about 10.
Judy, 350 is a LOT. I hope you get this resolved soon (as in, let us know if you do).

I used to use a software firewall and used to check how many items my firewall blocked. I used average around 1 per hour. Now that I have a router with a firewall built in, I no longer bother checking the log. Maybe I should? Do I need to?
Old 08-06-01, 07:37 AM
  #7  
Member
 
Join Date: Feb 1999
Location: Oklahoma
Posts: 225
Likes: 0
Received 0 Likes on 0 Posts
I have a friend that works for the local cable company here and I called him. He did work yesterday but is going to try to find out today and call me tonight. He said another friend of his had like 2600 hits on is firewall.
I will post tonight if I find out anything.

Judy
Old 08-06-01, 09:10 PM
  #8  
Member
 
Join Date: Feb 1999
Location: Oklahoma
Posts: 225
Likes: 0
Received 0 Likes on 0 Posts
Ok my friend that works at Cox just came by. He said the server is infected with the SirCam virus. He said Road Runner, AT&T, @home and some other big companys all have it. He said they are working on the problem but the techs don't have an estimated time that it will be fixed.
I will let you all know more if I find out anything.
Old 08-06-01, 11:20 PM
  #9  
Stealth Moderator
 
namja's Avatar
 
Join Date: Oct 1999
Location: In Transit, HQ
Posts: 25,038
Received 15 Likes on 8 Posts
Originally posted by Janai
Ok my friend that works at Cox just came by. He said the server is infected with the SirCam virus. He said Road Runner, AT&T, @home and some other big companys all have it.
That pretty much sux. damn_viruses.

On the other hand, it's nice to know that your firewalls are working.
Old 08-07-01, 07:58 AM
  #10  
Member
 
Join Date: Feb 1999
Location: Oklahoma
Posts: 225
Likes: 0
Received 0 Likes on 0 Posts
Ok I just got this email from Road Runner:


ROAD RUNNER ALERT

VIRUS ALERT. YOUR IMMEDIATE ACTION IS REQUIRED.

Dear Road Runner Subscriber:

Road Runner, like many other ISPs and indeed the entire Internet, has
today experienced an attack on its network which is apparently
attributable to the Code Red virus. It is possible that this virus has
infected the PC's of Road Runner's subscribers using the Microsoft
Windows NT or Microsoft Windows 2000 operating systems. Infected PC's
may continue to flood the Internet and Road Runner's network with virus
generated messages (even without your being aware of it).

Road Runner is working to alert all of its subscribers to this problem
and to instruct them on where to find and install the patch necessary to
eliminate the virus. In the meantime, Road Runner subscribers may
experience slow network response, flashing connectivity lights on the
cable modem, and other symptoms (such as unusual port scan log activity
or increased firewall activity) while Road Runner and the Internet
community work to control the impact of this virus.

IF YOUR PC IS RUNNING WINDOWS 2000 OR WINDOWS NT, PLEASE IMMEDIATELY
DOWNLOAD THE CODE RED PATCH FROM MICROSOFT'S WEBSITE
(www.microsoft.com/security) AND RESTART YOUR PC.

IF YOUR PC IS RUNNING WINDOWS 98, WINDOWS 95, OR WINDOWS ME, OR IF YOU
ARE A MACINTOSH USER, NO ACTION IS REQUIRED ON YOUR PART.

We ask for your patience while Road Runner continues to work with the
Internet community to address this virus.

Thank you.

Road Runner Security
Old 08-07-01, 09:40 PM
  #11  
Senior Member
 
Join Date: May 2000
Location: New Jersey
Posts: 399
Likes: 0
Received 0 Likes on 0 Posts
I applaud Road Runner for sending out that email. I wish @Home would send out an email like this so at least some of the people would get the message and give my firewall a break.

Chris
Old 08-07-01, 10:17 PM
  #12  
DVD Talk God
 
twikoff's Avatar
 
Join Date: Feb 2000
Location: Right Behind You!!!
Posts: 79,500
Received 4 Likes on 2 Posts
zone alarm has been report right around 15 alerts per hour for the past three days for me..

alot of port scanners working overtime
Old 08-07-01, 10:25 PM
  #13  
DVD Talk Gold Edition
 
Join Date: Jun 1999
Posts: 2,158
Likes: 0
Received 0 Likes on 0 Posts
I have an @Home connection and I'm getting 500 hits a day that I can see before Zone Alarm stops reporting them. Modem lights blink all day and all night. Stupid virus.

I ran a Code Red test that I found on another site and my Win2K computer is not infected. Am I correct in thinking that there isn't anything else that I need to do since I have the firewall blocking it? Hope this shite stops before long....not really affecting me all that much but it's annoying...
Old 08-07-01, 10:42 PM
  #14  
DVD Talk Legend
 
Sonic's Avatar
 
Join Date: May 1999
Posts: 18,688
Received 123 Likes on 89 Posts
Originally posted by twikoff
zone alarm has been report right around 15 alerts per hour for the past three days for me..

alot of port scanners working overtime
Me too. Same thing.
Old 08-08-01, 09:51 AM
  #15  
DVD Talk Platinum Edition
 
Join Date: May 2001
Location: In my Home Theater- Foley, AL
Posts: 3,503
Likes: 0
Received 0 Likes on 0 Posts
Jeez... Your post prompted me to check my Zone Alarm log file & ther have been 500 hits since 08/06!!!!

what's up?
Old 08-08-01, 11:50 AM
  #16  
DVD Talk Special Edition
 
Join Date: Jun 2001
Location: Richardson, TX
Posts: 1,505
Likes: 0
Received 0 Likes on 0 Posts
my cable modem has been blinking non stop since a few days ago... even when i unplug my computers and the "PC" light on the modem is off the "DATA" light still binks.

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Thread Tools
Search this Thread

Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information -

Copyright 2021 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.