Security Incidents mailing list archives

Code Red, anyone?

From: Russell Fulton <r.fulton () auckland ac nz>
Date: Wed, 1 Aug 2001 14:37:49 +1200 (NZST)


On Tue, 31 Jul 2001 19:31:01 -0600 (MDT) Alfred Huger 
<ah () securityfocus com> wrote:



I realize that most of you have taken shelter and are awaiting the
impending demise of the Internet as we know it. However for those of you
stalwart bastions of courage who are still manning the ship in the face of
this clear and present danger, I have a question. Anyone seeing Code Red
activity yet?

I just took a poll through our sensors in ARIS and see almost no activity
at least none worth commenting on. Anyone else?


Since 10am local time (2200 UTC) I have been monitoring number of 
in bound tcp sessions to port 80 that consist of a single SYN (I 
figure the worm should generate lots of these ;-). There was no change 
between morning and the hour after midday and a slight rise between 1 
and 2 pm, but still well within the bounds of statistical error.

Hmmm... I'll analyse the 2.5 hours data since midday:

90   # total unique source IP address
  212.135.14.10. 01 Aug 01 00:10:58 -- 01 Aug 01 01:43:17 # count 3
   24.14.144.90. 01 Aug 01 00:08:09 -- 01 Aug 01 00:34:24 # count 2
 61.144.143.124. 01 Aug 01 01:48:15 -- 01 Aug 01 02:21:34 # count 2
    24.69.55.69. 01 Aug 01 00:50:03 -- 01 Aug 01 02:14:51 # count 2
  145.249.35.45. 01 Aug 01 00:26:47 -- 01 Aug 01 00:28:45 # count 2
   217.89.69.90. 01 Aug 01 02:05:47 -- 01 Aug 01 02:11:13 # count 2

Times are UTC: first packet seen -- last packet seen.  
count is number of local addresses probed.

No real evidence of a resurection there...

Does anyone know what probe rate to expect on a /16 address space from 
a infected single address. (I know it will vary with bandwidth 
available).

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Code Red, anyone? Alfred Huger (Jul 31)
- Code Red, anyone? Russell Fulton (Jul 31)
- Re: Code Red, anyone? Glenn Forbes Fleming Larratt (Jul 31)
  - Re: Code Red, anyone? Michael Sullenszino (Aug 01)
- Re: Code Red, anyone? S. Staniford (Jul 31)
- Re: Code Red, anyone? Joseph Nicholas Yarbrough (Aug 01)
- Re: Code Red, anyone? thomas lakofski (Aug 01)
- RE: Code Red, anyone? Coen Bongers (Aug 01)
- Re: Code Red, anyone? Ryan Russell (Aug 01)
  - Re: Code Red, anyone? Kman (Aug 01)
- <Possible follow-ups>
- Re: Code Red, anyone? Ken Eichman (Aug 01)
  - unsubscribe me please Christophe Bernigaud (Aug 01)

(Thread continues...)