Bugtraq mailing list archives
Re: Re(2): 'Code Red' does not seem to be scanning for IIS
From: "Phillip Reed" <PReed () eviciti com>
Date: Fri, 20 Jul 2001 09:22:24 -0400
Looking at the infected population chart as published on C|Net, I have to say that the dramatic increase looks exactly like the classical "knee" in a exponential growth curve. In fact, the entire curve looks like a standard infection "population vs. time" graph, with the upper end fall-off due to the saturation of the available uninfected population. No nefarious modifications are needed here to explain the sudden surge. For entertainment value, try creating a chart (I used Excel), plotting y=x^9. Then look at the curve. The knee starts around x=20 or 21, and the value takes off from there. No modifications needed.
I can correlate what Kelly reports -- *something* happened between 14-1500
GMT
today to drastically increase the number of 'code red' scans/infections.
I've
been tracking them since Saturday on my IDS. Our class-b address space
appears
to be high up on the worms scanning pattern. For all of 7/18 I recorded
probes
from 8247 unique host IP addresses, presumably compromised with 'code
red'.
Just during the 1900GMT hour today - one hour of logs - I recorded 'code
red'
hits from 115124 different IP addresses. All of these probes are bouncing
off
our firewall. The drastic increase in infections/probes began between
1300-
1400 GMT today and *seemed* to start leveling off around 1600-1700 GMT.
-- Phillip C. Reed Network Administration - Cincinnati Eviciti 1148 Main St., 4th floor Cincinnati, OH 45210 (513) 929-0785 x218 http://www.eviciti.com mailto:preed () eviciti com
Current thread:
- Re: Re(2): 'Code Red' does not seem to be scanning for IIS Phillip Reed (Jul 20)