[21732] in bugtraq
Re(2): Re(2): 'Code Red' does not seem to be scanning for IIS
daemon@ATHENA.MIT.EDU (Ken Eichman)
Fri Jul 20 14:14:15 2001
Date: Fri, 20 Jul 2001 11:57:35 -0400 (EDT)
From: Ken Eichman <keichman@cas.org>
Message-Id: <0107201157.AA9026@cas.org>
To: "Phillip Reed" <PReed@eviciti.com>, bugtraq@securityfocus.com
I can't argue with your statistical analysis but since CNet used my
stats for that chart I have to disagree here. If you look at the bigger
picture, the rate of growth since this worm was apparently released on
7/13 (chart below), it was more or less a linear growth pattern until
approximately the 1400 GMT timeframe on the 19th, and in fact up until
then the growth rate appeared to have leveled off. Daily stats from my
IDS of apparent 'code red' scans:
Date # Worm Probes # Unique Source Addr's # Unique Source Addr's
Probing (For the Day) Probing (Cumulative)
----- ------------- ---------------------- ----------------------
07/13 611 27 27
07/14 36273 1076 1079
07/15 215020 3498 3641
07/16 316828 6137 7146
07/17 316359 7189 10212
07/18 294345 8247 13866
07/19 4080321 272052 279911
By the way for today as reported by others, my numbers have dropped off
dramatically.
> From: "Phillip Reed" <PReed@eviciti.com>
> Looking at the infected population chart as published on C|Net, I have to
> say that the dramatic increase looks exactly like the classical "knee" in a
> exponential growth curve. In fact, the entire curve looks like a standard
> infection "population vs. time" graph, with the upper end fall-off due to
> the saturation of the available uninfected population. No nefarious
> modifications are needed here to explain the sudden surge.
>
> For entertainment value, try creating a chart (I used Excel), plotting
> y=x^9. Then look at the curve. The knee starts around x=20 or 21, and the
> value takes off from there. No modifications needed.
>
>>I can correlate what Kelly reports -- *something* happened between 14-1500 GMT
>>today to drastically increase the number of 'code red' scans/infections. I'VE
>>been tracking them since Saturday on my IDS. Our class-b address space appears
>>to be high up on the worms scanning pattern. For all of 7/18 I recorded probes
>>from 8247 unique host IP addresses, presumably compromised with 'code red'
>>Just during the 1900GMT hour today - one hour of logs - I recorded 'code red'
>>hits from 115124 different IP addresses. All of these probes are bouncing off
>>our firewall. The drastic increase in infections/probes began between 1300-
>>1400 GMT today and *seemed* to start leveling off around 1600-1700 GMT.
>
> Phillip C. Reed
> Network Administration - Cincinnati
>
> Eviciti
> 1148 Main St., 4th floor
> Cincinnati, OH 45210
> (513) 929-0785 x218
> http://www.eviciti.com
> mailto:preed@eviciti.com
Ken Eichman Senior Security Engineer
Chemical Abstracts Service Tel: (614) 447-3838 ext 3230
2540 Olentangy River Road Fax: (614) 447-3855
Columbus, OH 43210 Email: keichman@cas.org
