North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Code Red growth stats

  • From: Roeland Meyer
  • Date: Thu Aug 02 02:36:56 2001

> From: Petr Swedock [mailto:[email protected]]
> Sent: Wednesday, August 01, 2001 9:38 PM

>  : From: "Steven M. Bellovin" <[email protected]>
>  : Date: Wed, 01 Aug 2001 23:15:50 -0400

>  : In message 
> <[email protected]>, Roeland Me
>  : yer writes:
>  : >> From: Steven M. Bellovin [mailto:[email protected]]
>  : >> Sent: Wednesday, August 01, 2001 7:36 PM
>  : >
>  : >> If it has indeed turned up again, I'm at a loss to 
> explain it.  While 
>  : >> I'm sure there are some IIS servers on home machines, I doubt 
>  : >> there are 
>  : >> that many.  But I don't have another explanation to offer.
>  : >
>  : >Are you taking into account that every copy of Win2K 
> comes with IIS? I had
>  : >to quickly run around and do upgrades yesterday. I clean 
> forgot about the
>  : >workstations. I bet that I'm not the only one either.

> I think it is NOT on by default for IIS 4.0 but IS on by default
> for IIS 5.0... In any event, we had a machine that was freshly
> installed with the very latest W2k on July 18, in the evening. That
> machine was worm ridden within 12 hours. The grad student who
> installed didn't specifically add IIS and didn't have any reason 
> to do so.

I've just been staring at (yeah, I know
... not enough to do). We have a nice little camel here. It occurs to me
that the time coincide with info workers leaving work, eating dinner, and
firing up the workstation at home, in the US. Do we have any location data
on these infected hosts? What would be interesting is, if we have another
tail-off starting at about 0400 (we do) UTC and picking up again about 10-12
hours later. UTC midnight is about 2100 EDT and 1700 PDT. That's when it
starts to pick up again. The second peak corresponds to 0000EDT/0800PDT.

This supposes that the super-majority of Win2K machines are in the US. There
are also a bunch of WinXP beta machines out there. Is XP vulnerable?