Looks very much like the URL eEye's 'Code Red Scanner' uses to test for vulnerable machines. http://www.eeye.com/html/Research/Tools/codered.html Nick -----Original Message----- From: Dean Cunningham [mailto:Dean.Cunninghamat_private] Sent: Wednesday, 25 July 2001 7:32 AM To: 'incidentsat_private' Subject: New version of Code Red? A FYI, I have yet to see anything in my logs. cheers Dean -----Original Message----- From: MVickat_private [mailto:MVickat_private] Sent: Wednesday, 25 July 2001 8:44 AM To: NT System Admin Issues Subject: New version of Code Red? Computer at 172.158.225.228 does the 80 GET /x.ida, followed by AAA... instead of NNN... Then comes back 25 minutes later with 80 GET /iisstart.asp and 80 GET /pagerror.gif 2001-07-23 11:05:32 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET /x.ida AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X 200 - 2001-07-23 11:30:06 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET /iisstart.asp - 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90) 2001-07-23 11:30:08 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET /pagerror.gif - 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90) And nslookup reports.... C:\>nslookup 172.158.255.228 Server: xxxx.xxxxx.xxx Address: xxx.xxx.xxx.xxx Name: AC9EFFE4.ipt.aol.com Address: 172.158.255.228 Michael Vick *************************************************** This e-mail is not an official statement of the Waikato Regional Council unless otherwise stated. Visit our website http://www.ew.govt.nz *************************************************** ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 20:16:16 PDT