[Dshield] I've got a question about code red...
seangra at yahoo.com
Mon Aug 13 04:53:13 GMT 2001
You are correct, as my next message indicated (but apparently didn't get
posted yet) I had a bug in my program that pulled out the IP addresses
But still, why have some in my subnet attacked > 80 times, while others
only a few? And the timings aren't consistant either... There's batches
with a lot of attacks/3 hour period, then others with none (well, computers
can be on and off)... just seems wierd... Wondering if there's some other
strains out there that we don't know about (it's alltogether possible...)
At 10:35 PM 8/12/2001 -0500, Scott Fendley wrote:
>I have a question for you on this one. of those that have attacked more
>then say 25 times, How many of them are within the same /16 as you. How
>many are in the same /8 as you. I would venture a guess that most all of
>those are. If I remember correctly, the CodeRed II virus has affinity for
>those in the same network on the class B or Class A level. This is my
>best guess to what you are seeing, but I could be wrong on this.
>University of Arkanas
>On Mon, 13 Aug 2001, Sean Graham wrote:
> > Hello all, I have a question.
> > I wrote a crazy program that does real-time stats of the Code Red (and
> > related) attacks on my W2K IIS server, and I've noticed that there are
> > than 30 people who have attacked more than 50 times. In fact, out of 1557
> > unique machines that have attacked me, 1282 have attacked once, 135
> > attacked twice, (a bunch more inbetween), 3 have attacked 74 times, and
> > there are people who have attacked 75, 76, 78, 87, 91 and 97 times. None
> > of these mentioned (above 70 attacks) are in my subnet.
> > So my question is this: why would there be the vast majority of machines
> > attacking <= 2 times (91%) and yet some machines, not even in my subnet,
> > have attacked more than 75 times EACH...? Doesn't this seem a little odd?
> > I realize that IP spoofing could be used, and that would reduce the
> > recurrances, but it was my understanding that the main virus wasn't that
> > smart, and just used a RNG with a 12.5% chance of going outside it's class
> > A domain, so... something doesn't add up here.
> > check it out if you'd like:
> > http://www.ohmygodmyarmfelloff.com/iisstart.asp
> > thanks
> > -- Sean
> > _________________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
More information about the list