From: Petr Swedock [mailto:petr@ai.mit.edu]
Sent: Wednesday, August 01, 2001 9:38 PM
: From: "Steven M. Bellovin" <smb@research.att.com>
: Date: Wed, 01 Aug 2001 23:15:50 -0400
: In message
<EA9368A5B1010140ADBF534E4D32C728025AB1@condor.mhsc.com>, Roeland Me
: yer writes:
: >> From: Steven M. Bellovin [mailto:smb@research.att.com]
: >> Sent: Wednesday, August 01, 2001 7:36 PM
: >
: >> If it has indeed turned up again, I'm at a loss to
explain it. While
: >> I'm sure there are some IIS servers on home machines, I doubt
: >> there are
: >> that many. But I don't have another explanation to offer.
: >
: >Are you taking into account that every copy of Win2K
comes with IIS? I had
: >to quickly run around and do upgrades yesterday. I clean
forgot about the
: >workstations. I bet that I'm not the only one either.
I think it is NOT on by default for IIS 4.0 but IS on by default
for IIS 5.0... In any event, we had a machine that was freshly
installed with the very latest W2k on July 18, in the evening. That
machine was worm ridden within 12 hours. The grad student who
installed didn't specifically add IIS and didn't have any reason
to do so.
I've just been staring at
www.caida.org/analysis/security/code-red/aug1-live-hosts.gif (yeah, I know
... not enough to do). We have a nice little camel here. It occurs to me
that the time coincide with info workers leaving work, eating dinner, and
firing up the workstation at home, in the US. Do we have any location data
on these infected hosts? What would be interesting is, if we have another
tail-off starting at about 0400 (we do) UTC and picking up again about 10-12
hours later. UTC midnight is about 2100 EDT and 1700 PDT. That's when it
starts to pick up again. The second peak corresponds to 0000EDT/0800PDT.
This supposes that the super-majority of Win2K machines are in the US. There
are also a bunch of WinXP beta machines out there. Is XP vulnerable?