'Code Red' does not seem to be scanning for IIS

[Mike Brockman <phubuh () home se>]

> From what i read about the 'Code Red'-worm, it was supposed to be scanning
for IIS-servers. It obviously is'nt, i believe it tries to infect
everything they find on port 80, or something as simple as that.

About three to four days ago, i started to get those default.ida-GET's in
my Apache-logs. I shut down the server as fast as i could, and checked for
outgoing connections from my computer, and then did some research.
I was told that it was an IIS-worm, and that it could'nt affect
Apache-servers, so i was safe. I turned the server back on, and from that
day i have received forty-one attempts.

How can this be? Why am i getting so few attempts, if it is as eEye says
-- that every worm-instance has the same seed?
I should be getting tons and tons of tries, if the worm has been around
for this long. Or is it that my IP is high up in the "sequence", and not
many comes that far? If that is the case, the number should be increasing
fast in the near future, right?

I'll come back with a report in a week or so.

________________________________
 m'name be mike brockman! jeeh!
_ooh,_und_dunt_feed_my_eskimoes_