An update. It's now 0100z on July 20. As predicted, the attack rate of the
Code Red worm has fallen to practically zero (and someone's even slipped in
a couple of portscan and named probes for something different...), and
suspicious traffic has fallen to pre-Code Red levels. The droppoff was
sudden and coincident with the rolling over of the UTC date.

Microsoft patches here prevented any local infestation, and I have filtering
rules to prevent the spread of the worm from here, just to be safe.

Somehow, I think things aren't so good at the White House, right now.

Tony Langdon.
Systems Development and Support.
ATC Training Australasia. Level 2 321 Exhibition St Melbourne 3000.
Phone: 1300 13 1983 WWW: http://www.atctraining.com.au

> -----Original Message-----
> From: Vern Paxson [mailto:vernee.lbl.gov]
> Sent: Friday, 20 July 2001 9:50
> To: Joe Harris
> Cc: BUGTRAQ
> Subject: Re: [BUGTRAQ] Full analysis of the .ida "Code Red" worm.
>
>
> > So far today, it's been 1.17 million different remote hosts.
>
> Damn, serious methodology error in crunching that. The correct
> figure is (I now believe :-) 293,000.
>
> Vern
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]