On Thu, 19 Jul 2001, Gillard, Paul wrote: > In the past hour I've seen a dramatic increase in attempted connection to > port 80 for all the IP's we own, none of which are web servers. I usually > get about 1 a day but in the last hour I've had over thirty different IP's > trying to connect and it looks like it's increasing (examples below). Same here....here is a bit of my snort log. You can see it's the Code Red worm. [**] IDS296/web-misc_http-whisker-splicing-attack-space [**] 07/19-16:38:04.281336 xx.xxx.xxx.xx:4888 -> 24.179.45.150:80 TCP TTL:107 TOS:0x0 ID:43445 IpLen:20 DgmLen:44 DF ***AP*** Seq: 0xAA95CC7E Ack: 0x7B62C9FE Win: 0x4470 TcpLen: 20 47 45 54 20 GET =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] IDS552/web-iis_IIS ISAPI Overflow ida [**] 07/19-16:38:04.310213 xx.xxx.xxx.xx:4888 -> 24.179.45.150:80 TCP TTL:107 TOS:0x0 ID:43446 IpLen:20 DgmLen:1500 DF ***AP*** Seq: 0xAA95CC82 Ack: 0x7B62C9FE Win: 0x4470 TcpLen: 20 2F 64 65 66 61 75 6C 74 2E 69 64 61 3F 4E 4E 4E /default.ida?NNN 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E 4E NNNNNNNNNNNNNNNN ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 20:08:18 PDT