On Tuesday 24 July 2001 02:19, Greg Owen wrote: > Two of these showed up in my web server logs today: > > 202.100.68.22 - - [23/Jul/2001:11:58:37 -0400] "GET x HTTP/1.0" 400 328 > 202.99.64.113 - - [23/Jul/2001:17:23:44 -0400] "GET x HTTP/1.0" 400 328 I've seen a total of 61 of these requests, starting on 05/05/2001 and turning up every few days thereafter, mostly coming from the apnic netblocks 202/8, 203/8, 210/8 and 211/8, but also some from 150.43/16 (a Japanese Technical College) and a few from assorted US cable/DSL networks. I can't think of any practical purpose for them, unless it's looking for traces of an as yet (to me, anyway) undocumented worm. Another thing to note in the scans I've discovered is that they've mostly been scanning netblocks: amongst other things I look after a /27 netblock that has a number of web servers which seem to have been scanned contiguously. cheers john ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 08:53:53 PDT