Bugtraq mailing list archives
Re(2): Re(2): 'Code Red' does not seem to be scanning for IIS
From: Ken Eichman <keichman () cas org>
Date: Fri, 20 Jul 2001 11:57:35 -0400 (EDT)
I can't argue with your statistical analysis but since CNet used my stats for that chart I have to disagree here. If you look at the bigger picture, the rate of growth since this worm was apparently released on 7/13 (chart below), it was more or less a linear growth pattern until approximately the 1400 GMT timeframe on the 19th, and in fact up until then the growth rate appeared to have leveled off. Daily stats from my IDS of apparent 'code red' scans: Date # Worm Probes # Unique Source Addr's # Unique Source Addr's Probing (For the Day) Probing (Cumulative) ----- ------------- ---------------------- ---------------------- 07/13 611 27 27 07/14 36273 1076 1079 07/15 215020 3498 3641 07/16 316828 6137 7146 07/17 316359 7189 10212 07/18 294345 8247 13866 07/19 4080321 272052 279911 By the way for today as reported by others, my numbers have dropped off dramatically.
From: "Phillip Reed" <PReed () eviciti com> Looking at the infected population chart as published on C|Net, I have to say that the dramatic increase looks exactly like the classical "knee" in a exponential growth curve. In fact, the entire curve looks like a standard infection "population vs. time" graph, with the upper end fall-off due to the saturation of the available uninfected population. No nefarious modifications are needed here to explain the sudden surge. For entertainment value, try creating a chart (I used Excel), plotting y=x^9. Then look at the curve. The knee starts around x=20 or 21, and the value takes off from there. No modifications needed.I can correlate what Kelly reports -- *something* happened between 14-1500 GMT today to drastically increase the number of 'code red' scans/infections. I'VE been tracking them since Saturday on my IDS. Our class-b address space appears to be high up on the worms scanning pattern. For all of 7/18 I recorded probes from 8247 unique host IP addresses, presumably compromised with 'code red' Just during the 1900GMT hour today - one hour of logs - I recorded 'code red' hits from 115124 different IP addresses. All of these probes are bouncing off our firewall. The drastic increase in infections/probes began between 1300- 1400 GMT today and *seemed* to start leveling off around 1600-1700 GMT.Phillip C. Reed Network Administration - Cincinnati Eviciti 1148 Main St., 4th floor Cincinnati, OH 45210 (513) 929-0785 x218 http://www.eviciti.com mailto:preed () eviciti com
Ken Eichman Senior Security Engineer Chemical Abstracts Service Tel: (614) 447-3838 ext 3230 2540 Olentangy River Road Fax: (614) 447-3855 Columbus, OH 43210 Email: keichman () cas org
Current thread:
- Re(2): Re(2): 'Code Red' does not seem to be scanning for IIS Ken Eichman (Jul 20)