Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re(2): Re(2): 'Code Red' does not seem to be scanning for IIS

From: Ken Eichman <keichman () cas org>
Date: Fri, 20 Jul 2001 11:57:35 -0400 (EDT)
I can't argue with your statistical analysis but since CNet used my
stats for that chart I have to disagree here. If you look at the bigger
picture, the rate of growth since this worm was apparently released on
7/13 (chart below), it was more or less a linear growth pattern until
approximately the 1400 GMT timeframe on the 19th, and in fact up until
then the growth rate appeared to have leveled off. Daily stats from my
IDS of apparent 'code red' scans:

Date     # Worm Probes    # Unique Source Addr's  # Unique Source Addr's
                           Probing (For the Day)   Probing (Cumulative)
-----    -------------    ----------------------  ----------------------
07/13          611                 27                      27
07/14        36273               1076                    1079
07/15       215020               3498                    3641
07/16       316828               6137                    7146
07/17       316359               7189                   10212
07/18       294345               8247                   13866
07/19      4080321             272052                  279911

By the way for today as reported by others, my numbers have dropped off
dramatically.


From: "Phillip Reed" <PReed () eviciti com>
Looking at the infected population chart as published on C|Net, I have to
say that the dramatic increase looks exactly like the classical "knee" in a
exponential growth curve. In fact, the entire curve looks like a standard
infection "population vs. time" graph, with the upper end fall-off due to
the saturation of the available uninfected population. No nefarious
modifications are needed here to explain the sudden surge.

For entertainment value, try creating a chart (I used Excel), plotting
y=x^9. Then look at the curve. The knee starts around x=20 or 21, and the
value takes off from there. No modifications needed.


I can correlate what Kelly reports -- *something* happened between 14-1500 GMT
today to drastically increase the number of 'code red' scans/infections. I'VE
been tracking them since Saturday on my IDS. Our class-b address space appears
to be high up on the worms scanning pattern. For all of 7/18 I recorded probes
from 8247 unique host IP addresses, presumably compromised with 'code red'
Just during the 1900GMT hour today - one hour of logs - I recorded 'code red'
hits from 115124 different IP addresses. All of these probes are bouncing off
our firewall. The drastic increase in infections/probes began between 1300-
1400 GMT today and *seemed* to start leveling off around 1600-1700 GMT.


Phillip C. Reed
Network Administration - Cincinnati

Eviciti
1148 Main St., 4th floor
Cincinnati, OH 45210
(513) 929-0785 x218
http://www.eviciti.com
mailto:preed () eviciti com


Ken Eichman                  Senior Security Engineer
Chemical Abstracts Service   Tel:   (614) 447-3838 ext 3230
2540 Olentangy River Road    Fax:   (614) 447-3855
Columbus, OH 43210           Email: keichman () cas org
Previous By Date Next
Previous By Thread Next

Current thread: