Re: Re(2): 'Code Red' does not seem to be scanning for IIS

["Phillip Reed" <PReed () eviciti com>]

Looking at the infected population chart as published on C|Net, I have to
say that the dramatic increase looks exactly like the classical "knee" in a
exponential growth curve. In fact, the entire curve looks like a standard
infection "population vs. time" graph, with the upper end fall-off due to
the saturation of the available uninfected population. No nefarious
modifications are needed here to explain the sudden surge.

For entertainment value, try creating a chart (I used Excel), plotting
y=x^9. Then look at the curve. The knee starts around x=20 or 21, and the
value takes off from there. No modifications needed.


> I can correlate what Kelly reports -- *something* happened between 14-1500
GMT
> today to drastically increase the number of 'code red' scans/infections.
I've
> been tracking them since Saturday on my IDS. Our class-b address space
appears
> to be high up on the worms scanning pattern. For all of 7/18 I recorded
probes
> from 8247 unique host IP addresses, presumably compromised with 'code
red'.
> Just during the 1900GMT hour today - one hour of logs - I recorded 'code
red'
> hits from 115124 different IP addresses. All of these probes are bouncing
off
> our firewall. The drastic increase in infections/probes began between
1300-
> 1400 GMT today and *seemed* to start leveling off around 1600-1700 GMT.
--

Phillip C. Reed
Network Administration - Cincinnati

Eviciti
1148 Main St., 4th floor
Cincinnati, OH 45210
(513) 929-0785 x218
http://www.eviciti.com
mailto:preed () eviciti com