[21703] in bugtraq
Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm.
daemon@ATHENA.MIT.EDU (Tony Langdon)
Fri Jul 20 01:30:03 2001
Message-ID: <B17EB7B34580D311BE38525405DF62324B60C0@atc-mail-db.atctraining.com.au>
From: Tony Langdon <tlangdon@atctraining.com.au>
To: "'Vern Paxson'" <vern@ee.lbl.gov>, Joe Harris <cdi@thewebmasters.net>
Cc: BUGTRAQ <BUGTRAQ@securityfocus.com>
Date: Fri, 20 Jul 2001 11:13:07 +1000
MIME-Version: 1.0
Content-Type: text/plain;
charset="ISO-8859-1"
An update. It's now 0100z on July 20. As predicted, the attack rate of the
Code Red worm has fallen to practically zero (and someone's even slipped in
a couple of portscan and named probes for something different...), and
suspicious traffic has fallen to pre-Code Red levels. The droppoff was
sudden and coincident with the rolling over of the UTC date.
Microsoft patches here prevented any local infestation, and I have filtering
rules to prevent the spread of the worm from here, just to be safe.
Somehow, I think things aren't so good at the White House, right now.
Tony Langdon.
Systems Development and Support.
ATC Training Australasia. Level 2 321 Exhibition St Melbourne 3000.
Phone: 1300 13 1983 WWW: http://www.atctraining.com.au
> -----Original Message-----
> From: Vern Paxson [mailto:vern@ee.lbl.gov]
> Sent: Friday, 20 July 2001 9:50
> To: Joe Harris
> Cc: BUGTRAQ
> Subject: Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm.
>
>
> > So far today, it's been 1.17 million different remote hosts.
>
> Damn, serious methodology error in crunching that. The correct
> figure is (I now believe :-) 293,000.
>
> Vern
>
