[Dshield] I've got a question about code red...

Sean Graham seangra at yahoo.com
Mon Aug 13 04:53:13 GMT 2001


You are correct, as my next message indicated (but apparently didn't get 
posted yet) I had a bug in my program that pulled out the IP addresses 
backwards =)

But still, why have some in my subnet attacked > 80 times, while others 
only a few?  And the timings aren't consistant either... There's batches 
with a lot of attacks/3 hour period, then others with none (well, computers 
can be on and off)... just seems wierd...  Wondering if there's some other 
strains out there that we don't know about (it's alltogether possible...)

-- Sean

At 10:35 PM 8/12/2001 -0500, Scott Fendley wrote:
>I have a question for you on this one.  of those that have attacked more
>then say 25 times,  How many of them are within the same /16 as you.  How
>many are in the same /8 as you.  I would venture a guess that most all of
>those are.  If I remember correctly, the CodeRed II virus has affinity for
>those in the same network on the class B or Class A level.  This is my
>best guess to what you are seeing, but I could be wrong on this.
>
>Scott Fendley
>University of Arkanas
>
>On Mon, 13 Aug 2001, Sean Graham wrote:
>
> > Hello all, I have a question.
> >
> > I wrote a crazy program that does real-time stats of the Code Red (and
> > related) attacks on my W2K IIS server, and I've noticed that there are 
> more
> > than 30 people who have attacked more than 50 times.  In fact, out of 1557
> > unique machines that have attacked me, 1282 have attacked once, 135
> > attacked twice, (a bunch more inbetween), 3 have attacked 74 times, and
> > there are people who have attacked 75, 76, 78, 87, 91 and 97 times.  None
> > of these mentioned (above 70 attacks) are in my subnet.
> >
> > So my question is this:  why would there be the vast majority of machines
> > attacking <= 2 times (91%) and yet some machines, not even in my subnet,
> > have attacked more than 75 times EACH...?  Doesn't this seem a little odd?
> >
> > I realize that IP spoofing could be used, and that would reduce the
> > recurrances, but it was my understanding that the main virus wasn't that
> > smart, and just used a RNG with a 12.5% chance of going outside it's class
> > A domain, so... something doesn't add up here.
> >
> > check it out if you'd like:
> >
> > http://www.ohmygodmyarmfelloff.com/iisstart.asp
> >
> > thanks
> >
> > -- Sean
> >
> >
> > _________________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see: 
> http://www1.dshield.org/mailman/listinfo/dshield
> >


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




More information about the list mailing list