RE: .ida Intrusion Attempt

From: Ulrich Keil (ulrichk@der-keiler.de)
Date: Thu Jul 19 2001 - 16:34:03 PDT

  • Next message: Tim Winders: "RE: .ida Intrusion Attempt"

    I think the reason for this is that the Worm just does an connect to
    randomIP:80.
    
    If your "Default-Web" (Don't know how it's called on NT) on every IP-Adress is
    www.domain.com, the you just get hit on your www. Web, and not on the other
    Webs, which are (possibly) on the same IP.
    
    Ulrich Keil
    
    Linux/UNIX SysAdmin
    
    -----Original Message----- 
    From: Colby Rice [mailto:crice_at_180096hotel.com] 
    Sent: Thursday, July 19, 2001 1:29 PM 
    Cc: incidents_at_securityfocus.com; focus-ids_at_securityfocus.com 
    Subject: RE: .ida Intrusion Attempt 
    
    Has anyone else noticed that it is only hitting www. servers? or am I 
    just lucky? I am getting many many attempts but ONLY on my 
    www.<whatever> servers I DO have servers with port 80 open to the 
    outside world that ARE NOT getting hit. from everything I have read on 
    this worm it is picking its IP's at random and if that is the case then 
    I should have been hit on something OTHER then these (few) www. 
    servers.. 
    
    (or am I missing something?) 
    
                    CR 
    
    
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 20:03:37 PDT