nanog mailing list archives

RE: Code Red growth stats

From: Roeland Meyer <rmeyer () mhsc com>
Date: Wed, 1 Aug 2001 23:39:04 -0700

From: Petr Swedock [mailto:petr () ai mit edu]
Sent: Wednesday, August 01, 2001 9:38 PM

 : From: "Steven M. Bellovin" <smb () research att com>
 : Date: Wed, 01 Aug 2001 23:15:50 -0400

 : In message 
<EA9368A5B1010140ADBF534E4D32C728025AB1 () condor mhsc com>, Roeland Me
 : yer writes:
 : >> From: Steven M. Bellovin [mailto:smb () research att com]
 : >> Sent: Wednesday, August 01, 2001 7:36 PM
 : >
 : >> If it has indeed turned up again, I'm at a loss to 
explain it.  While 
 : >> I'm sure there are some IIS servers on home machines, I doubt 
 : >> there are 
 : >> that many.  But I don't have another explanation to offer.
 : >
 : >Are you taking into account that every copy of Win2K 
comes with IIS? I had
 : >to quickly run around and do upgrades yesterday. I clean 
forgot about the
 : >workstations. I bet that I'm not the only one either.

I think it is NOT on by default for IIS 4.0 but IS on by default
for IIS 5.0... In any event, we had a machine that was freshly
installed with the very latest W2k on July 18, in the evening. That
machine was worm ridden within 12 hours. The grad student who
installed didn't specifically add IIS and didn't have any reason 
to do so.


I've just been staring at
www.caida.org/analysis/security/code-red/aug1-live-hosts.gif (yeah, I know
... not enough to do). We have a nice little camel here. It occurs to me
that the time coincide with info workers leaving work, eating dinner, and
firing up the workstation at home, in the US. Do we have any location data
on these infected hosts? What would be interesting is, if we have another
tail-off starting at about 0400 (we do) UTC and picking up again about 10-12
hours later. UTC midnight is about 2100 EDT and 1700 PDT. That's when it
starts to pick up again. The second peak corresponds to 0000EDT/0800PDT.

This supposes that the super-majority of Win2K machines are in the US. There
are also a bunch of WinXP beta machines out there. Is XP vulnerable?

Current thread:

Re: Code Red growth stats, (continued)
- - Re: Code Red growth stats k claffy (Aug 01)
  - Re: Code Red growth stats Kevin Houle (Aug 02)
- RE: Code Red growth stats Roeland Meyer (Aug 01)
- Re: Code Red growth stats Steven M. Bellovin (Aug 01)
  - Re: Code Red growth stats Etaoin Shrdlu (Aug 01)
- RE: Code Red growth stats Roeland Meyer (Aug 01)
  - Re: Code Red growth stats Adam Rothschild (Aug 01)
- Re: Code Red growth stats Avi Freedman (Aug 01)
  - Re: Code Red growth stats k claffy (Aug 01)
    - Re: Code Red growth stats Valdis . Kletnieks (Aug 01)
- RE: Code Red growth stats Roeland Meyer (Aug 01)
- Re: Code Red growth stats Sean Donelan (Aug 02)
  - Re: Code Red growth stats John Fraizer (Aug 02)
- Re: Code Red growth stats Larry Sheldon (Aug 02)
- Re: Code Red growth stats Larry Sheldon (Aug 02)