[Dshield] CodeRed Difference with 'new' XXX variant

ALEPH0 aleph0 at pacbell.net
Sun Aug 5 03:23:37 GMT 2001

I am seeing the same leading hitter on my other server that is in the 63.206
net.  Like the other, it shows a weighting over the second octet (206).  I
think it is random with that sort of weighting.  Hosts outside 63 are
showing up in the log too.  Might be the seeders or they might be
statistically admissible as the weighting is on all octets.  [First octet
(63) strongly weighted, second (206) a little more weakly weighted, third
perhaps free or very loose, fourth is probably free.]  Another possibility
is it is performing random walks/crawls about the net.  That would account
easily for the high local distribution of hits.

      <snip> -- lots more 63.x.y.z, most being 63.206.y.z.

-----Original Message-----
From: ALEPH0 [mailto:aleph0 at pacbell.net]
Sent: Saturday, August 04, 2001 8:06 PM
To: dshield at dshield.org
Subject: RE: [Dshield] CodeRed Difference with 'new' XXX variant

Not too many hits yet.  But here's the profile by number of hits.  Maybe was the vector.

  count source-address
  ----- --------------

More information about the list mailing list