A bit of Code Red research

["cg" <cg.me () verizon net>]

Hi All,
    Ok, first off, this is pretty non-scientific and there are a lot of 
caveats. What I did was to take a random sampling of the ip addresses
that were hit by Code Red the first time around, July 19. The ips were
taken from the site hcity.net/~nomad/.comp-host-list.txt
A little less than 1% of the ips there were scanned with nmap and CIS to
check to see if anyone was still vulnerable.
Only 5 systems were still vulnerable to the default.ida exploit BUT
there were a ton that are wide open in other respects. Here's how the 
numbers break down...


2 of the systems were still defaced by the sysadmen china worm!!
6% are open mail relays
13% have exe's or scripts easily accessible and vulnerable
18% have anonymous ftp enabled
22% gave back a valid username AND password, with either user or 
        administrator rights
24% gave back their anonymous internet username
35% are vulnerable to the .htw info leak
44% give away far too much information, ie, shares, database tables, 
         usernames without passwords etc.

How the domains break down..
5% .org
20% .com
21% other (.jp, .br, .kr, etc)
24% .edu
30% .net


A couple of points.

1. The systems scanned could be honeypots or such.
2. I've known CIS to give back false positives, so each of the above was
    checked manually (with the exception of actually logging in with
    admin/user passwords) before counting.
3. Considering the list that the ips came from are a list of Code Red
    exploited servers, one can't expect
    them to be the most hardened boxes on the net.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com