Included is updated information on probable CodeRed activity seen at my
site.
The data used for this analysis comes from a Shadow IDs sensor located in
front of the firewall. As such, all that is seen are the initial SYN
packets. The middle series of columns shows how many scans were seen during
the hour and how many unique sources those scans came from as well as the
ratio between the current and previous hour.
The series of columns to the right shows what I learned about the system
that the probe came from. I'm using nmap to see if there is a host that
responds at the supposed source address. If so, I then use wget to get
information about what web server (or other software) is running on port 80.
Systems that do not respond and RFC 1918 source addresses are lumped
together under 'No response'. Virtually all of the IIS systems that have
probed my site are running IIS 5.0.
Assumptions:
Traffic coming from systems running IIS4/5 are probably infected with
CodeRed.
Non-IIS web server source addresses may be spoofed.
Non-web server source addresses are probably spoofed.
No response source addresses are probably spoofed.
Due to hardware problems, I have incomplete data for the 0900 EST hour
today.
Up until about 0800 EST this morning, traffic seemed to be increasing by
about 75% each hour. Since then, the hourly increase appears to be
shrinking.
Dave Goldsmith
Other Non-
Hour || Probes Sources || IIS Web Web No
Date (EST) || Total Growth Total Growth || Srvr Srvr Srvr
Response
============++=============================++=============================
0731 2000 || 92 ---- 17 ---- || 8 1 3 5
0731 2100 || 74 0.80 20 1.18 || 13 0 2 5
0731 2200 || 154 2.08 45 2.25 || 25 0 8 12
0731 2300 || 239 1.55 73 1.62 || 26 1 19 27
0801 0000 || 345 1.44 97 1.33 || 34 0 17 46
0801 0100 || 693 2.01 183 1.89 || 78 2 47 56
0801 0200 || 1139 1.64 324 1.77 ||
0801 0300 || 2463 2.16 644 1.99 ||
0801 0400 || 4271 1.73 1112 1.73 ||
0801 0500 || 7327 1.72 1950 1.75 ||
0801 0600 || 13088 1.79 3415 1.75 ||
0801 0700 || 22787 1.74 5897 1.73 ||
0801 0800 || 38556 1.69 9868 1.67 ||
0801 0900 || 15005 ---- 4598 ---- ||
0801 1000 || 101859 ---- 25893 ---- ||
0801 1100 || 145874 1.43 36691 1.42 ||
0801 1200 || 186622 1.28 46174 1.26 ||
0801 1300 || 214739 1.15 52786 1.14 ||
############################################################
This email message is for the sole use of the intended
recipient(s)and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and
destroy all copies of the original message. Any views
expressed in this message are those of the individual
sender, except where the sender specifically states them
to be the views of Intelsat, Ltd. and its subsidiaries.
############################################################
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 14:17:01 PDT