Code Red statistics at TRIUMF

Related pages: NIMDA worm at TRIUMF, dynamic LaBrea Scatterplot

Infection Period #2. Starting at 8pm EST on July 31 2001, the worm shows exponential growth; see these PNG plots:

Scripts to create scatterplots etc. are available here.

Infection Period #1, Attack Period #1

During the day of July 19th, 2001, TRIUMF experienced an unprecedented number of probes from the Internet for port 80 HTTP service (Webserver). These are attributed to the Code Red worm, which attacks unpatched Microsoft IIS webservers.

At this time, the SANS incident handling centre set the Internet Threat Level to "Orange" (on a scale green, yellow, orange,red). On July 20th, the Threat Level was downgraded to Yellow.

Check out this page at CAIDA. It has some cool animations of the geographic spread of the worm.

For more information on the Code Red worm, please see:

The worm was first reported privately to eEye Security on July 13th. On July 17th, an analysis of the worm appeared on the Bugtraq mailing list, on Newsbytes, and on Incidents.org. On July 18th, eEye and SANS released a routine advisory notice. On July 19th SANS released a special alert at 4pm PDT.

Graph of probes/hour
The graph shows the number of probes to port 80 to addresses within the TRIUMF domain where a webserver is not running. These mostly represent scanning activity by the Code Red worm.

For a logarithmic plot, showing tailing off of the numbers of scans since July 20, see codered.log.png (since 13 July), codered.log2.png (since 31 July). At 9am PDT on August 1, the log plot shows a straight line (exponential growth)

For a linear plot of probes since July 24, see codered3.png

Source Domains

The most common source subnets (class B) were:
61.132 106643
168.160 19249
61.218 14414
211.233 12789
202.108 12433
209.11 11974
61.216 11611
211.23 11369
211.174 9554
209.61 9485
61.13 9240
62.110 8903
63.111 8882
211.21 8726
217.80 8377
213.122 8328
61.219 8295
211.20 8039
66.12 7956
161.7 7870
211.22 7820
209.235 7713
The most common Top-Level domains were :
com 125131    .COM commercial
cn 84495      China
net 78041     .NET commercial
edu 14214     .EDU Academic
jp 12326      Japan
tw 9805       Taiwan
nl 8007       Netherlands
uk 7468       United Kingdom
de 7144       Germany
us 6812       US regional, e.g. High Schools
fr 6001       France
it 5701       Italy
ca 5582       Canada
org 5085      .ORG  commercial and non-profit
se 4321       Sweden
dk 4124       Denmark
at 3795       Austria
es 3554       Spain
be 3140       Belgium
ch 2407       Switzerland
za 2069       South Africa
fi 2054       Finland
no 1836       Norway
au 1831       Australia
nu 1754     
ru 1667       
is 1621       
gr 1492       Greece
hr 1404       Hungary
kr 1043       Korea
pl 936        Poland
arpa 922
cz 702        Czech Republic
si 696
hk 585        Hong Kong
id 534
mx 531        Mexico
ee 522
br 517
tr 503
A.Daviel