[Dshield] CodeRed Difference with 'new' XXX variant

ALEPH0 aleph0 at pacbell.net
Sun Aug 5 03:23:37 GMT 2001


I am seeing the same leading hitter on my other server that is in the 63.206
net.  Like the other, it shows a weighting over the second octet (206).  I
think it is random with that sort of weighting.  Hosts outside 63 are
showing up in the log too.  Might be the seeders or they might be
statistically admissible as the weighting is on all octets.  [First octet
(63) strongly weighted, second (206) a little more weakly weighted, third
perhaps free or very loose, fourth is probably free.]  Another possibility
is it is performing random walks/crawls about the net.  That would account
easily for the high local distribution of hits.

     16 63.206.192.250
      9 63.206.117.140
      4 63.206.105.250
      <snip> -- lots more 63.x.y.z, most being 63.206.y.z.
      1 217.5.79.102
      1 203.248.127.132

-----Original Message-----
From: ALEPH0 [mailto:aleph0 at pacbell.net]
Sent: Saturday, August 04, 2001 8:06 PM
To: dshield at dshield.org
Subject: RE: [Dshield] CodeRed Difference with 'new' XXX variant


<snip>
Not too many hits yet.  But here's the profile by number of hits.  Maybe
63.206.192.250 was the vector.
<snip>

  count source-address
  ----- --------------
     40 63.206.192.250
     30 63.206.30.58
     <snip>




More information about the list mailing list