[21728] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Possible CodeRed Connection Attempts

daemon@ATHENA.MIT.EDU (Ken Eichman)
Fri Jul 20 13:58:47 2001

Date: Fri, 20 Jul 2001 11:12:01 -0400 (EDT)
From: Ken Eichman <keichman@cas.org>
Message-Id: <0107201112.AA7056@cas.org>
In-Reply-To: <490B4C213EC8D211851F00105A29CA5A1100A9B0@admex1.adm.intelsat.int> of Fri, 20 Jul 2001 08:42:13 -0400
To: dave.goldsmith@intelsat.com, incidents@securityfocus.com
To: focus-ids@securityfocus.com, bugtraq@securityfocus.com

> From: dave.goldsmith@intelsat.com
> We have a sniffer located on the network segment behind our Internet router
> and in front of the firewall.  The stats below show attempts from Internet
> hosts to connect to port 80 on random IP addresses on our class B network.
> I have not included any connections to the machines that are running web
> servers that are reachable from the Internet.

Dave, Wow! I've got a similar setup and have been tracking these
probes since 7/13. I'm lining our stats up side-by-side for comparison
purposes. Man they're similar! I have no idea why my class-b was
getting hit more frequently to start with. I'm speculating that my
address space just happened to get hit more by the worm's 'random'
address generator.

Day     Hour    Total           Unique        Total           Unique
		Connections     Sources       Connections     Sources
============    ========================      =======================
07/19   00      120             17              12699          2450
07/19   01      81              12              13059          2577
07/19   02      62              11              13272          2590
07/19   03      97              20              13056          2564
07/19   04      85              18              13283          2632
07/19   05      128             20              13229          2612
07/19   06      140             20              13554          2601
07/19   07      212             34              13517          2608
07/19   08      645             137             13746          2685
07/19   09      5717            1281            16819          3325
07/19   10      36879           8186            36589          7838
07/19   11      150913          34361          116083         26823
07/19   12      362011          79789          295348         68085
07/19   13      519846          111148         466542        103522
07/19   14      556220          117946         520973        113451
07/19   15      547087          115193         513513        115124
07/19   16      540009          115983         513894         90931
07/19   17      519810          111290         499642        111175
07/19   18      499565          107106         480850        106215
07/19   19      390019          89331          449712         97699
07/19   20      14541           3493            26687          7319
07/19   21      9733            2233             9197          2181
07/19   22      9093            1882             7782          1814
07/19   23      8539            1672             7056          1648
		=======        =======        =======        ======
Day Total       4171552        274041         4080321        279911


Ken Eichman                  Senior Security Engineer
Chemical Abstracts Service   Tel:   (614) 447-3838 ext 3230
2540 Olentangy River Road    Fax:   (614) 447-3855
Columbus, OH 43210           Email: keichman@cas.org


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[21728] in bugtraq

Re: Possible CodeRed Connection Attempts

daemon@ATHENA.MIT.EDU (Ken Eichman)Fri Jul 20 13:58:47 2001

daemon@ATHENA.MIT.EDU (Ken Eichman)
Fri Jul 20 13:58:47 2001