Re: Re(2): 'Code Red' does not seem to be scanning for IIS

From: Phillip Reed (PReed@eviciti.com)
Date: 07/20/01


Subject: Re: Re(2): 'Code Red' does not seem to be scanning for IIS
To: bugtraq@securityfocus.com
Message-ID: <OF13C6C0E3.45E49E51-ON85256A8F.00482FCB@eviciti.com>
From: "Phillip Reed" <PReed@eviciti.com>
Date: Fri, 20 Jul 2001 09:22:24 -0400


Looking at the infected population chart as published on C|Net, I have to
say that the dramatic increase looks exactly like the classical "knee" in a
exponential growth curve. In fact, the entire curve looks like a standard
infection "population vs. time" graph, with the upper end fall-off due to
the saturation of the available uninfected population. No nefarious
modifications are needed here to explain the sudden surge.

For entertainment value, try creating a chart (I used Excel), plotting
y=x^9. Then look at the curve. The knee starts around x=20 or 21, and the
value takes off from there. No modifications needed.

>I can correlate what Kelly reports -- *something* happened between 14-1500
GMT
>today to drastically increase the number of 'code red' scans/infections.
I've
>been tracking them since Saturday on my IDS. Our class-b address space
appears
>to be high up on the worms scanning pattern. For all of 7/18 I recorded
probes
>from 8247 unique host IP addresses, presumably compromised with 'code
red'.
>Just during the 1900GMT hour today - one hour of logs - I recorded 'code
red'
>hits from 115124 different IP addresses. All of these probes are bouncing
off
>our firewall. The drastic increase in infections/probes began between
1300-
>1400 GMT today and *seemed* to start leveling off around 1600-1700 GMT.

--

Phillip C. Reed Network Administration - Cincinnati

Eviciti 1148 Main St., 4th floor Cincinnati, OH 45210 (513) 929-0785 x218 http://www.eviciti.com mailto:preed@eviciti.com