[Dshield] Code Red Host Scans (and more) (and stats)

Patrick Oonk patrick at pine.nl
Sat Aug 4 20:19:11 GMT 2001

> I've spotted probes from all over: France, parts of Asia, Taiwan, 
> Japan, and an *awful* lot of probes from speakeasy.net (my provider, 
> so I'm talking to them about it.) I'm getting probes for this "new" 
> version from networks that never tried to connect via the "old" 
> version.
> Today may get ugly, folks. It may get *really* ugly.
> Beginning about five hours ago, I've detected 97 probes of the "new" variety:

I've added the second strain to my stats, and at 
16:00 GMT+2 I saw a HUGE increase in scans.
Numbers jumped from 800/h to 1400/h

Stats at http://www.security.nl/misc/codered-stats/

Tomorrow I will add maps showing geographical dispersion
of code red. An example is at 

The data I used is captured from our /19 using urlsnarf.

 Patrick Oonk - PO1-6BONE - E: patrick at pine.nl - www.pine.nl/~patrick
 Pine Internet  -  PAT31337-RIPE  -   Hushmail: p.oonk at my.security.nl
 T: +31-70-3111010  -   F: +31-70-3111011   -  http://security.nl
 PGPID 155C3934 fp DD29 1787 8F49 51B8 4FDF  2F64 A65C 42AE 155C 3934
 Excuse of the day: your keyboard's space bar is generating
 spurious keycodes.

More information about the list mailing list