Re: Re(2): 'Code Red' does not seem to be scanning for IIS

From: Phillip Reed (
Date: 07/20/01

Subject: Re: Re(2): 'Code Red' does not seem to be scanning for IIS
Message-ID: <>
From: "Phillip Reed" <>
Date: Fri, 20 Jul 2001 09:22:24 -0400

Looking at the infected population chart as published on C|Net, I have to
say that the dramatic increase looks exactly like the classical "knee" in a
exponential growth curve. In fact, the entire curve looks like a standard
infection "population vs. time" graph, with the upper end fall-off due to
the saturation of the available uninfected population. No nefarious
modifications are needed here to explain the sudden surge.

For entertainment value, try creating a chart (I used Excel), plotting
y=x^9. Then look at the curve. The knee starts around x=20 or 21, and the
value takes off from there. No modifications needed.

>I can correlate what Kelly reports -- *something* happened between 14-1500
>today to drastically increase the number of 'code red' scans/infections.
>been tracking them since Saturday on my IDS. Our class-b address space
>to be high up on the worms scanning pattern. For all of 7/18 I recorded
>from 8247 unique host IP addresses, presumably compromised with 'code
>Just during the 1900GMT hour today - one hour of logs - I recorded 'code
>hits from 115124 different IP addresses. All of these probes are bouncing
>our firewall. The drastic increase in infections/probes began between
>1400 GMT today and *seemed* to start leveling off around 1600-1700 GMT.


Phillip C. Reed Network Administration - Cincinnati

Eviciti 1148 Main St., 4th floor Cincinnati, OH 45210 (513) 929-0785 x218