Security Incidents mailing list archives

RE: CRv2 multiple scans from same source IP

From: Tim Hollebeek <thollebeek () cigital com>
Date: Mon, 6 Aug 2001 16:19:47 -0400

NOW: CodeRedII (this name is easily mistaken with CRv2, so

i would suppose

another name: i stared calling it ida_root since my first

analysis on 5th

aug, 7:34 GMT)
this worm alway only infects one host _once_. it checks for

double infection.

it could generate the same ip address again in it's PRNG

but the chance

this happening is near 0.


you would think it should be near 0, but unless im mistaken 
this should be CR II correct?


Why should it be near zero?

CRII spends half it's time attacking it's own subnet: < 65535 ips.
After only 256 attacks, any infected host has likely already has hit
one machine twice (birthday paradox).  And a typical attacker has 
hundreds of threads running ...

From my logs:


(the first line means one machine has attacked me 88 times, a second
25 times, a third 19 times, two distinct machines have made 18 attacks,
and another two have made 16, ... the duplication rate is quite high
for those of us in "densely vulnerable" subnets)

number of attacks     number of ips
88                              1 X

25                              1 X

19                              1 X
18                              2 XX
17                      0
16                              2 XX
15                      0
14                              1 X
13                              1 X
12                              6 XXXXXX
11                      0
10                              4 XXXX
9                               3 XXX
8                               2 XX
7                               1 X
6                               4 XXXX
5                               6 XXXXXX
4                               8 XXXXXXXX
3                               9 XXXXXXXXX
2                               7 XXXXXXX
1                               8 XXXXXXXX

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: CRv2 multiple scans from same source IP, (continued)
- - Re: CRv2 multiple scans from same source IP Paul Gear (Aug 06)
- Re: CRv2 multiple scans from same source IP Valdis . Kletnieks (Aug 05)
- RE: CRv2 multiple scans from same source IP robh (Aug 05)
- Re: CRv2 multiple scans from same source IP corecode (Aug 06)
  - Re: CRv2 multiple scans from same source IP Lee Smith (Aug 06)
    - RE: CRv2 multiple scans from same source IP Andrew Cruse (Aug 06)
  - Re: CRv2 multiple scans from same source IP Ryan Russell (Aug 06)
    - Re: CRv2 multiple scans from same source IP Andy Berkheimer (Aug 06)
    - Re: CRv2 multiple scans from same source IP corecode (Aug 07)
  - Re: CRv2 multiple scans from same source IP Bryan Andersen (Aug 06)
- RE: CRv2 multiple scans from same source IP Tim Hollebeek (Aug 06)
- RE: CRv2 multiple scans from same source IP corecode (Aug 06)