Confirmed, this one came across every server in one class C yesterday from the same address. (the hospital here in town, as a matter of fact.. Odd.) 000 : 47 45 54 20 2F 78 2E 69 64 61 3F 41 41 41 41 41 GET /x.ida?AAAAA 010 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 020 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 030 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 040 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 050 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 060 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 070 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 080 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 090 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0a0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0b0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0c0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0d0 : 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 0e0 : 41 41 41 41 41 41 41 3D 58 20 48 54 54 50 2F 31 AAAAAAA=X HTTP/1 0f0 : 2E 31 0A 48 6F 73 74 3A 20 77 77 77 2E 77 6F 72 .1.Host: www.wor 100 : 6D 2E 63 6F 6D 0D 0A 0D 0A m.com.... ----- Original Message ----- From: "Dean Cunningham" <Dean.Cunninghamat_private> To: <incidentsat_private> Sent: Tuesday, July 24, 2001 4:02 PM Subject: New version of Code Red? > A FYI, I have yet to see anything in my logs. > > cheers > Dean > > > -----Original Message----- > From: MVickat_private [mailto:MVickat_private] > Sent: Wednesday, 25 July 2001 8:44 AM > To: NT System Admin Issues > Subject: New version of Code Red? > > > Computer at 172.158.225.228 does the 80 GET /x.ida, followed by AAA... > instead of NNN... > Then comes back 25 minutes later with 80 GET /iisstart.asp and 80 GET > /pagerror.gif > > > 2001-07-23 11:05:32 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET /x.ida > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X > > 200 - > > 2001-07-23 11:30:06 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET /iisstart.asp > - 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90) > > 2001-07-23 11:30:08 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET /pagerror.gif > - 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90) > > > And nslookup reports.... > > > C:\>nslookup 172.158.255.228 > Server: xxxx.xxxxx.xxx > Address: xxx.xxx.xxx.xxx > > Name: AC9EFFE4.ipt.aol.com > Address: 172.158.255.228 > > > > Michael Vick > > *************************************************** > This e-mail is not an official statement of the > Waikato Regional Council unless otherwise stated. > Visit our website http://www.ew.govt.nz > *************************************************** > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 20:06:17 PDT