Re: Re(2): 'Code Red' does not seem to be scanning for IIS

From: Phillip Reed (PReed@eviciti.com)
Date: 07/20/01


Subject: Re: Re(2): 'Code Red' does not seem to be scanning for IIS
To: bugtraq@securityfocus.com
Message-ID: <OF13C6C0E3.45E49E51-ON85256A8F.00482FCB@eviciti.com>
From: "Phillip Reed" <PReed@eviciti.com>
Date: Fri, 20 Jul 2001 09:22:24 -0400


Looking at the infected population chart as published on C|Net, I have to
say that the dramatic increase looks exactly like the classical "knee" in a
exponential growth curve. In fact, the entire curve looks like a standard
infection "population vs. time" graph, with the upper end fall-off due to
the saturation of the available uninfected population. No nefarious
modifications are needed here to explain the sudden surge.

For entertainment value, try creating a chart (I used Excel), plotting
y=x^9. Then look at the curve. The knee starts around x=20 or 21, and the
value takes off from there. No modifications needed.

>I can correlate what Kelly reports -- *something* happened between 14-1500
GMT
>today to drastically increase the number of 'code red' scans/infections.
I've
>been tracking them since Saturday on my IDS. Our class-b address space
appears
>to be high up on the worms scanning pattern. For all of 7/18 I recorded
probes
>from 8247 unique host IP addresses, presumably compromised with 'code
red'.
>Just during the 1900GMT hour today - one hour of logs - I recorded 'code
red'
>hits from 115124 different IP addresses. All of these probes are bouncing
off
>our firewall. The drastic increase in infections/probes began between
1300-
>1400 GMT today and *seemed* to start leveling off around 1600-1700 GMT.

--

Phillip C. Reed Network Administration - Cincinnati

Eviciti 1148 Main St., 4th floor Cincinnati, OH 45210 (513) 929-0785 x218 http://www.eviciti.com mailto:preed@eviciti.com



Relevant Pages

  • Re: Do not turn off email scanning
    ... >> antivirus software would normally detect the infection as soon as the ... The virus scanner will alert when the attachment is ... Email scanning does the necessary decoding to detect an ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Do not turn off email scanning
    ... because MSOE 6 places the "Reply to Sender" and "Reply to ... Email scanning does the necessary decoding to detect an infection ... first sixteen because my ISP has mail scanning in place, ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: What is this infection" reported by Cyber Defender
    ... I used AVG for years w/o problems, recently switched to Avast on rec. ... stop it's scanning once OE opened up. ... Since you never mentioned what *is* the registry key on which CD is ... the claimed infection so "HKEY" is all it tells you regarding the ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: What is this infection" reported by Cyber Defender
    ... I used AVG for years w/o problems, ... not "find" the options to stop it's scanning once OE opened up. ... Since you never mentioned what *is* the registry key on which CD is ... regarding the so-called infection. ...
    (microsoft.public.windowsxp.help_and_support)