> It looks like most of my hits are coming from within
> my cable modem subnet. My assumption is people are at
> home setting up a personal webserver to learn with and
> not knowing anything about the administrative side, not
> looking for updates to there server.
Not necessarily a good assumption. If you do an analysis of incoming IP numbers from "average" (that is, pre-Code Red/Nimda) surfers, you will discover that the breakdown by Class A IP quad is extremely uneven from 0 to 255.
I did such an analysis, prior to the Code Red onslaught last summer. Based on a sample of over 100,000, over one third of the Class A were close to zero hits, over one third were fairly low, and less than one third were very high.
The distribution is very, very uneven. That's why Code Red didn't propagate as fast as Nimda. In Code Red, the IP number targeted by infected machies was generated randomly. Two-thirds of its effort was wasted on Class As that didn't go hardly anywhere.
Starting with Nimda, the IP generation routine gave heavy priority to the Class A of the machine that was infected. That neatly solved the problem of wasted attacks, as the outgoing attacks were now proportional to the actual Class As in use on the Internet.
Therefore, Nimda propagated much more quickly than Code Red. Almost all the probes you see will be from your same Class A, because all the virus writers from here on out will not be repeating the mistake of generating the attack IPs using a random generator.