[rescue] [OT] CodeRed activity?
Phil Brutsche
rescue at sunhelp.org
Sun Aug 5 10:19:28 CDT 2001
On 05 Aug 2001 11:14:13 +0100, David Cantrell wrote:
> > I think it's more likely that this worm is limiting itself to the /8
> > that it finds itself being hosted in.
>
> Demonstrably false:
Looking at the analysis on incidents at securityfocus.com, we were both
right, after a fasion.
The "prng" that this new worm uses operates in such a way that the IP
numbers it tries to contact are statistically in the same /8 or /16 as
the infected system.
Does that make sense?
--
Phil
More information about the rescue
mailing list