Re: Possible CodeRed Connection Attempts

From: Ken Eichman (keichmanat_private)
Date: Fri Jul 20 2001 - 08:12:01 PDT

  • Next message: Ken Eichman: "Re: Possible CodeRed Connection Attempts"

    > From: dave.goldsmithat_private
    > We have a sniffer located on the network segment behind our Internet router
    > and in front of the firewall.  The stats below show attempts from Internet
    > hosts to connect to port 80 on random IP addresses on our class B network.
    > I have not included any connections to the machines that are running web
    > servers that are reachable from the Internet.
    
    Dave, Wow! I've got a similar setup and have been tracking these
    probes since 7/13. I'm lining our stats up side-by-side for comparison
    purposes. Man they're similar! I have no idea why my class-b was
    getting hit more frequently to start with. I'm speculating that my
    address space just happened to get hit more by the worm's 'random'
    address generator.
    
    Day     Hour    Total           Unique        Total           Unique
    		Connections     Sources       Connections     Sources
    ============    ========================      =======================
    07/19   00      120             17              12699          2450
    07/19   01      81              12              13059          2577
    07/19   02      62              11              13272          2590
    07/19   03      97              20              13056          2564
    07/19   04      85              18              13283          2632
    07/19   05      128             20              13229          2612
    07/19   06      140             20              13554          2601
    07/19   07      212             34              13517          2608
    07/19   08      645             137             13746          2685
    07/19   09      5717            1281            16819          3325
    07/19   10      36879           8186            36589          7838
    07/19   11      150913          34361          116083         26823
    07/19   12      362011          79789          295348         68085
    07/19   13      519846          111148         466542        103522
    07/19   14      556220          117946         520973        113451
    07/19   15      547087          115193         513513        115124
    07/19   16      540009          115983         513894         90931
    07/19   17      519810          111290         499642        111175
    07/19   18      499565          107106         480850        106215
    07/19   19      390019          89331          449712         97699
    07/19   20      14541           3493            26687          7319
    07/19   21      9733            2233             9197          2181
    07/19   22      9093            1882             7782          1814
    07/19   23      8539            1672             7056          1648
    		=======        =======        =======        ======
    Day Total       4171552        274041         4080321        279911
    
    
    Ken Eichman                  Senior Security Engineer
    Chemical Abstracts Service   Tel:   (614) 447-3838 ext 3230
    2540 Olentangy River Road    Fax:   (614) 447-3855
    Columbus, OH 43210           Email: keichmanat_private
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 10:01:00 PDT