Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Possible CodeRed Connection Attempts

From: Gregory_DeGennaro () csaa com
Date: Fri, 20 Jul 2001 07:55:49 -0700
Dave,

I would say that you are right.  Most of hits are probably Code Red worm
attack attempts.  At home I do not run a web server and I do not have a
domain, I am still receiving port 80 scans.  I had 20 hits last night alone.

Greg
-----Original Message-----
From: dave.goldsmith () intelsat com [mailto:dave.goldsmith () intelsat com]
Sent: Friday, July 20, 2001 5:42 AM
To: incidents () securityfocus com; focus-ids () securityfocus com
Cc: bugtraq () securityfocus com
Subject: Possible CodeRed Connection Attempts


We have a sniffer located on the network segment behind our Internet router
and in front of the firewall.  The stats below show attempts from Internet
hosts to connect to port 80 on random IP addresses on our class B network.
I have not included any connections to the machines that are running web
servers that are reachable from the Internet.

Because the firewall blocks port 80 connections, except for the deisgnated
web
servers, all I have are the initial SYN packets so I don't know for sure
that all of
these packets are being generated by the CodeRed worm. However, I believe
that the vast majority of them are.

The stats are broken down by hour and then included a summary for the day.
I have included all of July 18th as a baseline for what appears to be
"normal"
hacking/probing activity.  Starting around 9am on July 19, the numbers start
to skyrocket. The times are EST.

Dave Goldsmith


Day     Hour    Total           Unique
                Connections     Sources
==============================
07/18   00      143             20
07/18   01      148             15
07/18   02      89              15
07/18   03      96              18
07/18   04      144             22
07/18   05      127             16
07/18   06      98              15
07/18   07      111             16
07/18   08      116             15
07/18   09      149             22
07/18   10      143             18
07/18   11      175             24
07/18   12      134             22
07/18   13      146             20
07/18   14      118             21
07/18   15      95              17
07/18   16      133             22
07/18   17      104             17
07/18   18      78              17
07/18   19      76              15
07/18   20      67              15      
07/18   21      85              15
07/18   22      62              12
07/18   23      105             14

Day Total       2742            194

07/19   00      120             17
07/19   01      81              12
07/19   02      62              11
07/19   03      97              20
07/19   04      85              18
07/19   05      128             20
07/19   06      140             20
07/19   07      212             34
07/19   08      645             137
07/19   09      5717            1281
07/19   10      36879           8186
07/19   11      150913          34361
07/19   12      362011          79789
07/19   13      519846          111148  
07/19   14      556220          117946
07/19   15      547087          115193
07/19   16      540009          115983
07/19   17      519810          111290
07/19   18      499565          107106
07/19   19      390019          89331
07/19   20      14541           3493
07/19   21      9733            2233
07/19   22      9093            1882
07/19   23      8539            1672

Day Total       4171552 274041


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: