From: Petr Swedock [mailto:petr@ai.mit.edu] Sent: Wednesday, August 01, 2001 9:38 PM
: From: "Steven M. Bellovin" <smb@research.att.com> : Date: Wed, 01 Aug 2001 23:15:50 -0400
: In message <EA9368A5B1010140ADBF534E4D32C728025AB1@condor.mhsc.com>, Roeland Me : yer writes: : >> From: Steven M. Bellovin [mailto:smb@research.att.com] : >> Sent: Wednesday, August 01, 2001 7:36 PM : > : >> If it has indeed turned up again, I'm at a loss to explain it. While : >> I'm sure there are some IIS servers on home machines, I doubt : >> there are : >> that many. But I don't have another explanation to offer. : > : >Are you taking into account that every copy of Win2K comes with IIS? I had : >to quickly run around and do upgrades yesterday. I clean forgot about the : >workstations. I bet that I'm not the only one either.
I think it is NOT on by default for IIS 4.0 but IS on by default for IIS 5.0... In any event, we had a machine that was freshly installed with the very latest W2k on July 18, in the evening. That machine was worm ridden within 12 hours. The grad student who installed didn't specifically add IIS and didn't have any reason to do so.
I've just been staring at www.caida.org/analysis/security/code-red/aug1-live-hosts.gif (yeah, I know ... not enough to do). We have a nice little camel here. It occurs to me that the time coincide with info workers leaving work, eating dinner, and firing up the workstation at home, in the US. Do we have any location data on these infected hosts? What would be interesting is, if we have another tail-off starting at about 0400 (we do) UTC and picking up again about 10-12 hours later. UTC midnight is about 2100 EDT and 1700 PDT. That's when it starts to pick up again. The second peak corresponds to 0000EDT/0800PDT. This supposes that the super-majority of Win2K machines are in the US. There are also a bunch of WinXP beta machines out there. Is XP vulnerable?
participants (1)
-
Roeland Meyer