[21770] in bugtraq
Code Red Worm, closing notes
daemon@ATHENA.MIT.EDU (Alfred Huger)
Mon Jul 23 11:52:59 2001
Date: Sun, 22 Jul 2001 19:35:22 -0600 (MDT)
From: Alfred Huger <ah@securityfocus.com>
To: <incidents@securityfocus.com>
Cc: <bugtraq@securityfocus.com>
Message-ID: <Pine.GSO.4.30.0107221911440.15441-100000@mail>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
It seems as if the Code Red worm has gone to sleep for now, at least so
far as we can tell. It will be interesting to see what happens when it
re-awakens.
My previous email noted that the ARIS project would be notifying as many
IP's as we could about possible infections of the worm. To that end we
notified against 172,066 unique IP's within 27,640 unique domains. We owe
a special thanks to Vern Paxson of LBL in this regard for supplying a
significant amount of data alongside our own ARIS data.
Some notes of interest:
List of the largest bulk offenders:
923 Level3.net
1159 cnc.net
1251 shawcable.net
1309 att.net
1363 bellatlantic.net
1404 wanadoo.fr
1438 gtei.net
1452 btinternet.com
1705 mindspring.com
1709 swbell.net
1905 bellsouth.net
2358 mediaone.net
2395 uu.net
2496 aol.com
2909 hinet.net
3870 pacbell.net
4148 t-dialin.net
5940 rr.com
As I said earlier, the traffic seems to have dropped off. This is a graph
showing this attack alongside the rest of the Internet noise( in terms of
attacks trending up), the cessation is readily apparent:
http://www1.securityfocus.com/data/staff/trended3.pdf
Cheers,
-al
VP Engineering
SecurityFocus.com
"Vae Victis"
