Dave, I would say that you are right. Most of hits are probably Code Red worm attack attempts. At home I do not run a web server and I do not have a domain, I am still receiving port 80 scans. I had 20 hits last night alone. Greg -----Original Message----- From: dave.goldsmithat_private [mailto:dave.goldsmithat_private] Sent: Friday, July 20, 2001 5:42 AM To: incidentsat_private; focus-idsat_private Cc: bugtraqat_private Subject: Possible CodeRed Connection Attempts We have a sniffer located on the network segment behind our Internet router and in front of the firewall. The stats below show attempts from Internet hosts to connect to port 80 on random IP addresses on our class B network. I have not included any connections to the machines that are running web servers that are reachable from the Internet. Because the firewall blocks port 80 connections, except for the deisgnated web servers, all I have are the initial SYN packets so I don't know for sure that all of these packets are being generated by the CodeRed worm. However, I believe that the vast majority of them are. The stats are broken down by hour and then included a summary for the day. I have included all of July 18th as a baseline for what appears to be "normal" hacking/probing activity. Starting around 9am on July 19, the numbers start to skyrocket. The times are EST. Dave Goldsmith Day Hour Total Unique Connections Sources ============================== 07/18 00 143 20 07/18 01 148 15 07/18 02 89 15 07/18 03 96 18 07/18 04 144 22 07/18 05 127 16 07/18 06 98 15 07/18 07 111 16 07/18 08 116 15 07/18 09 149 22 07/18 10 143 18 07/18 11 175 24 07/18 12 134 22 07/18 13 146 20 07/18 14 118 21 07/18 15 95 17 07/18 16 133 22 07/18 17 104 17 07/18 18 78 17 07/18 19 76 15 07/18 20 67 15 07/18 21 85 15 07/18 22 62 12 07/18 23 105 14 Day Total 2742 194 07/19 00 120 17 07/19 01 81 12 07/19 02 62 11 07/19 03 97 20 07/19 04 85 18 07/19 05 128 20 07/19 06 140 20 07/19 07 212 34 07/19 08 645 137 07/19 09 5717 1281 07/19 10 36879 8186 07/19 11 150913 34361 07/19 12 362011 79789 07/19 13 519846 111148 07/19 14 556220 117946 07/19 15 547087 115193 07/19 16 540009 115983 07/19 17 519810 111290 07/19 18 499565 107106 07/19 19 390019 89331 07/19 20 14541 3493 07/19 21 9733 2233 07/19 22 9093 1882 07/19 23 8539 1672 Day Total 4171552 274041 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 09:56:37 PDT