Hi All, Ok, first off, this is pretty non-scientific and there are a lot of caveats. What I did was to take a random sampling of the ip addresses that were hit by Code Red the first time around, July 19. The ips were taken from the site hcity.net/~nomad/.comp-host-list.txt A little less than 1% of the ips there were scanned with nmap and CIS to check to see if anyone was still vulnerable. Only 5 systems were still vulnerable to the default.ida exploit BUT there were a ton that are wide open in other respects. Here's how the numbers break down... 2 of the systems were still defaced by the sysadmen china worm!! 6% are open mail relays 13% have exe's or scripts easily accessible and vulnerable 18% have anonymous ftp enabled 22% gave back a valid username AND password, with either user or administrator rights 24% gave back their anonymous internet username 35% are vulnerable to the .htw info leak 44% give away far too much information, ie, shares, database tables, usernames without passwords etc. How the domains break down.. 5% .org 20% .com 21% other (.jp, .br, .kr, etc) 24% .edu 30% .net A couple of points. 1. The systems scanned could be honeypots or such. 2. I've known CIS to give back false positives, so each of the above was checked manually (with the exception of actually logging in with admin/user passwords) before counting. 3. Considering the list that the ips came from are a list of Code Red exploited servers, one can't expect them to be the most hardened boxes on the net. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 18:35:14 PDT