[NCLUG] Some CodeRed web hits compared

[Michael Dwyer]

> This is interesting.  For some reason qwest is getting hit harder
> than many others.  Of course, I've also heard that cable modem people
> are having lots of trouble.  Below are Code Red hits on a few web
> Linux servers.  One is on a machine behind that Cisco 678 that has
> been crashing.

The CodeRed II worm may have a modified payload that seeds its IP-
scanning random number list with a preference for local hosts. Its
something like a 1:4 chance that it will scan the local Class-C
or something like that.  That would serve to explain why some
machines get scanned more than other -- some machines are closer
to a large pool of infected machines.

A modem-only machine I work with had 18 HTML accesses today, as
of about 4pm.  Its a tiny 4-person real estate office.  Of those
18 hits, THREE were legitimate.  The other FIFTEEN were codered
and coderedII scans.

And my Cisco logs are FULL of scans to blocked addresses... :(