Re: Ramen worm scanner and multicast addresses

[Daniel Martin <dtmartin24 () HOME COM>]

slim bones <slim () io com> writes:

> Ramen uses a binary called randb to generate class B nets to scan.  I
> just made it generate 1000 of these, they appear to be reasonably
> scattered... however the first byte of the IP address was never less
> than 13 nor greater than 242.  Between those, addresses are fairly
> evenly dispersed considering the small sample size.  Of 1000 addresses
> about 60 were in the range you identify.  From what I've seen the
> worm would not discriminate against multicast addresses.

For what it's worth, a disassembly of randb shows that the algorithm
used to choose network addresses is equivalent to:
(int)((rand()*230)/(MAXINT+1)) + 13
for the first byte and
(int)((rand()*254)/(MAXINT+1)) + 1
for the second.

In other words, just what you said; uniformly distributed in the first
byte from 13 to 242 and uniform in the second byte from 1 to 255.

Reading intel floating point assembly always makes me think of forth,
or postscript...

> PS a mirror of a defaced web page at jpl -- html matches what's in
> the ramen worm index.html...
>
> http://www.attrition.org/mirror/attrition/2001/01/15/uta7400.jpl.nasa.gov/

Shame on jpl, then.  Anything running a website accessible to the
outside world should have someone applying security patches regularly.