[21750] in bugtraq
Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm.
daemon@ATHENA.MIT.EDU (Jerome Alet)
Fri Jul 20 18:16:21 2001
Date: Fri, 20 Jul 2001 10:00:42 +0200 (MET DST)
From: Jerome Alet <alet@unice.fr>
To: BUGTRAQ@securityfocus.com
In-Reply-To: <200107200526.RAA29006@fep4-orange.clear.net.nz>
Message-ID: <Pine.LNX.3.96.1010720093618.32276B-100000@cortex.unice.fr>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Fri, 20 Jul 2001, Nick FitzGerald wrote:
> No -- it is "constrained" because it has reached the *UTC date* (not
> time as initially reported) when it is programmed to switch from
> "spread like crazy" mode to "DoS one of the IPs that was part of
> www.whitehouse.gov" mode. In about ten days it will flick back to
> the "spread like crazy" mode.
I've just done a quick check of my Apache logs, we have something like 20
virtual hosts each with a different IP address but in the same block, and
while all the others have only received something like 20 attacks, one of
them has received more than 3500, coming from 2150 different hosts.
FYI I've split attacks by top level domains, when the IP was resolvable,
and it gives:
net : 447
com : 377
edu : 70
jp : 65
tw : 39
de : 27
fr : 25
ca : 25
nl : 22
es : 18
uk : 17
se : 17
it : 15
dk : 15
at : 12
gr : 10
cn : 10
ch : 10
be : 10
ru : 9
us : 8
no : 8
fi : 8
cz : 8
au : 8
pl : 7
org : 7
br : 5
za : 3
si : 3
is : 3
hu : 3
hr : 3
cl : 3
cc : 3
arp : 3
ua : 2
pt : 2
nz : 2
nu : 2
mx : 2
kr : 2
ie : 2
hk : 2
tr : 1
th : 1
sg : 1
mil : 1
int : 1
il : 1
bn : 1
bg : 1
ar : 1
the remaining is unresolvable, this was the majority.
Jerome Alet - alet@unice.fr - http://cortex.unice.fr/~jerome
Fac de Medecine de Nice http://wwwmed.unice.fr
Tel: (+33) 4 93 37 76 30 Fax: (+33) 4 93 53 15 15
28 Avenue de Valombrose - 06107 NICE Cedex 2 - FRANCE
