Code Red growth stats

• Previous message (by thread): Code Red growth stats
• Next message (by thread): Code Red growth stats
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wednesday, August 1, 2001, at 10:35 , Steven M. Bellovin wrote:
> If it has indeed turned up again, I'm at a loss to explain it.  While
> I'm sure there are some IIS servers on home machines, I doubt there are
> that many.  But I don't have another explanation to offer.

I monitored a couple web servers for probes today... out of a good 20 or 
so probes, only 1 looked like a legitimate server.  I don't have the 
data here to do a complete analysis, but the single largest group of 
infected machines were behind ADSL.  Cable and dialup (!) were also 
well-represented.

It looks like a lot of servers got patched (given an equal number of 
average servers and average home connections, I'd expect more probes 
from the servers due to home connections usually having crippled 
upstreams), but now we're down mostly home machines, which much of the 
press coverage said were not a problem.

I also noticed probes dropped off suddenly after about 4:30pm EDT (2030 
GMT).  It went from about 5 per hour to one the rest of the evening.  
Gratuitous arping dropped off about that time as well.

These observations are only valid to about 8pm or so... got bored and 
went home.  -rt

• Previous message (by thread): Code Red growth stats
• Next message (by thread): Code Red growth stats
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]