Included is updated information on probable CodeRed activity seen at my site. The data used for this analysis comes from a Shadow IDs sensor located in front of the firewall. As such, all that is seen are the initial SYN packets. The middle series of columns shows how many scans were seen during the hour and how many unique sources those scans came from as well as the ratio between the current and previous hour. The series of columns to the right shows what I learned about the system that the probe came from. I'm using nmap to see if there is a host that responds at the supposed source address. If so, I then use wget to get information about what web server (or other software) is running on port 80. Systems that do not respond and RFC 1918 source addresses are lumped together under 'No response'. Virtually all of the IIS systems that have probed my site are running IIS 5.0. Assumptions: Traffic coming from systems running IIS4/5 are probably infected with CodeRed. Non-IIS web server source addresses may be spoofed. Non-web server source addresses are probably spoofed. No response source addresses are probably spoofed. Due to hardware problems, I have incomplete data for the 0900 EST hour today. Up until about 0800 EST this morning, traffic seemed to be increasing by about 75% each hour. Since then, the hourly increase appears to be shrinking. Dave Goldsmith Other Non- Hour || Probes Sources || IIS Web Web No Date (EST) || Total Growth Total Growth || Srvr Srvr Srvr Response ============++=============================++============================= 0731 2000 || 92 ---- 17 ---- || 8 1 3 5 0731 2100 || 74 0.80 20 1.18 || 13 0 2 5 0731 2200 || 154 2.08 45 2.25 || 25 0 8 12 0731 2300 || 239 1.55 73 1.62 || 26 1 19 27 0801 0000 || 345 1.44 97 1.33 || 34 0 17 46 0801 0100 || 693 2.01 183 1.89 || 78 2 47 56 0801 0200 || 1139 1.64 324 1.77 || 0801 0300 || 2463 2.16 644 1.99 || 0801 0400 || 4271 1.73 1112 1.73 || 0801 0500 || 7327 1.72 1950 1.75 || 0801 0600 || 13088 1.79 3415 1.75 || 0801 0700 || 22787 1.74 5897 1.73 || 0801 0800 || 38556 1.69 9868 1.67 || 0801 0900 || 15005 ---- 4598 ---- || 0801 1000 || 101859 ---- 25893 ---- || 0801 1100 || 145874 1.43 36691 1.42 || 0801 1200 || 186622 1.28 46174 1.26 || 0801 1300 || 214739 1.15 52786 1.14 || ############################################################ This email message is for the sole use of the intended recipient(s)and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Intelsat, Ltd. and its subsidiaries. ############################################################ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 14:17:01 PDT