[Dshield] I've got a question about code red...

Scott Fendley scottf at uark.edu
Mon Aug 13 03:35:36 GMT 2001

I have a question for you on this one.  of those that have attacked more
then say 25 times,  How many of them are within the same /16 as you.  How
many are in the same /8 as you.  I would venture a guess that most all of
those are.  If I remember correctly, the CodeRed II virus has affinity for
those in the same network on the class B or Class A level.  This is my
best guess to what you are seeing, but I could be wrong on this.

Scott Fendley
University of Arkanas

On Mon, 13 Aug 2001, Sean Graham wrote:

> Hello all, I have a question.
> I wrote a crazy program that does real-time stats of the Code Red (and 
> related) attacks on my W2K IIS server, and I've noticed that there are more 
> than 30 people who have attacked more than 50 times.  In fact, out of 1557 
> unique machines that have attacked me, 1282 have attacked once, 135 
> attacked twice, (a bunch more inbetween), 3 have attacked 74 times, and 
> there are people who have attacked 75, 76, 78, 87, 91 and 97 times.  None 
> of these mentioned (above 70 attacks) are in my subnet.
> So my question is this:  why would there be the vast majority of machines 
> attacking <= 2 times (91%) and yet some machines, not even in my subnet, 
> have attacked more than 75 times EACH...?  Doesn't this seem a little odd?
> I realize that IP spoofing could be used, and that would reduce the 
> recurrances, but it was my understanding that the main virus wasn't that 
> smart, and just used a RNG with a 12.5% chance of going outside it's class 
> A domain, so... something doesn't add up here.
> check it out if you'd like:
> http://www.ohmygodmyarmfelloff.com/iisstart.asp
> thanks
> -- Sean
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield

More information about the list mailing list