Code Red, anyone?

From: Russell Fulton (r.fultonat_private)
Date: Tue Jul 31 2001 - 19:37:49 PDT

Next message: Mark Borrie: "ftp scans and socks"

Previous message: Nick FitzGerald: "Re: The sky is falling, or so I am told."
Next in thread: Joseph Nicholas Yarbrough: "Re: Code Red, anyone?"
Reply: Ken Eichman: "Re: Code Red, anyone?"
Reply: Information Security: "RE: Code Red, anyone?"
Reply: Jürgen Nieveler: "RE: Code Red, anyone?"
Reply: Pat Wilson: "Re: Code Red, anyone?"
Reply: Thompson, John J: "RE: Code Red, anyone?"
Reply: Chris A. Mattingly: "Re: Code Red, anyone?"
Reply: Ivan Andres Hernandez Puga: "Re: Code Red, anyone?"
Reply: kerveros: "RE: Code Red, anyone?"
Reply: Joe Lareau: "RE: Code Red, anyone?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 31 Jul 2001 19:31:01 -0600 (MDT) Alfred Huger 
<ahat_private> wrote:

> 
> 
> I realize that most of you have taken shelter and are awaiting the
> impending demise of the Internet as we know it. However for those of you
> stalwart bastions of courage who are still manning the ship in the face of
> this clear and present danger, I have a question. Anyone seeing Code Red
> activity yet?
> 
> I just took a poll through our sensors in ARIS and see almost no activity
> at least none worth commenting on. Anyone else?

Since 10am local time (2200 UTC) I have been monitoring number of 
in bound tcp sessions to port 80 that consist of a single SYN (I 
figure the worm should generate lots of these ;-). There was no change 
between morning and the hour after midday and a slight rise between 1 
and 2 pm, but still well within the bounds of statistical error.

Hmmm... I'll analyse the 2.5 hours data since midday:

90   # total unique source IP address
  212.135.14.10. 01 Aug 01 00:10:58 -- 01 Aug 01 01:43:17 # count 3
   24.14.144.90. 01 Aug 01 00:08:09 -- 01 Aug 01 00:34:24 # count 2
 61.144.143.124. 01 Aug 01 01:48:15 -- 01 Aug 01 02:21:34 # count 2
    24.69.55.69. 01 Aug 01 00:50:03 -- 01 Aug 01 02:14:51 # count 2
  145.249.35.45. 01 Aug 01 00:26:47 -- 01 Aug 01 00:28:45 # count 2
   217.89.69.90. 01 Aug 01 02:05:47 -- 01 Aug 01 02:11:13 # count 2

Times are UTC: first packet seen -- last packet seen.  
count is number of local addresses probed.

No real evidence of a resurection there...

Does anyone know what probe rate to expect on a /16 address space from 
a infected single address. (I know it will vary with bandwidth 
available).

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Mark Borrie: "ftp scans and socks"
Previous message: Nick FitzGerald: "Re: The sky is falling, or so I am told."
Next in thread: Joseph Nicholas Yarbrough: "Re: Code Red, anyone?"
Reply: Ken Eichman: "Re: Code Red, anyone?"
Reply: Information Security: "RE: Code Red, anyone?"
Reply: Jürgen Nieveler: "RE: Code Red, anyone?"
Reply: Pat Wilson: "Re: Code Red, anyone?"
Reply: Thompson, John J: "RE: Code Red, anyone?"
Reply: Chris A. Mattingly: "Re: Code Red, anyone?"
Reply: Ivan Andres Hernandez Puga: "Re: Code Red, anyone?"
Reply: kerveros: "RE: Code Red, anyone?"
Reply: Joe Lareau: "RE: Code Red, anyone?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 20:41:24 PDT