yep, that's it. web logs on our apache servers showed a single similar entry on each of those servers e.g.. +++xx.foo.arizona.edu+++dialup.foo.arizona.edu - - [21/Jul/2001:22:53:37 -0700 ] "GET/x.ida?AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X HTTP/1.1" 404 1477 it was just me dialed in from home running the code red scanner on our subnet. :) Nick Lehman wrote: > Looks very much like the URL eEye's 'Code Red Scanner' uses to test for > vulnerable machines. > > http://www.eeye.com/html/Research/Tools/codered.html > > Nick > > -----Original Message----- > From: Dean Cunningham [mailto:Dean.Cunninghamat_private] > Sent: Wednesday, 25 July 2001 7:32 AM > To: 'incidentsat_private' > Subject: New version of Code Red? > > A FYI, I have yet to see anything in my logs. > > cheers > Dean > > -----Original Message----- > From: MVickat_private [mailto:MVickat_private] > Sent: Wednesday, 25 July 2001 8:44 AM > To: NT System Admin Issues > Subject: New version of Code Red? > > Computer at 172.158.225.228 does the 80 GET /x.ida, followed by AAA... > instead of NNN... > Then comes back 25 minutes later with 80 GET /iisstart.asp and 80 GET > /pagerror.gif > > 2001-07-23 11:05:32 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET /x.ida > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=X > > 200 - > > 2001-07-23 11:30:06 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET > /iisstart.asp > - 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90) > > 2001-07-23 11:30:08 172.158.255.228 - xxx.xxx.xxx.xxx 80 GET > /pagerror.gif > - 200 Mozilla/4.0+(compatible;+MSIE+5.5;+Windows+98;+Win+9x+4.90) > > And nslookup reports.... > > C:\>nslookup 172.158.255.228 > Server: xxxx.xxxxx.xxx > Address: xxx.xxx.xxx.xxx > > Name: AC9EFFE4.ipt.aol.com > Address: 172.158.255.228 > > Michael Vick > > *************************************************** > This e-mail is not an official statement of the > Waikato Regional Council unless otherwise stated. > Visit our website http://www.ew.govt.nz > *************************************************** > > ------------------------------------------------------------------------ > ---- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 09:47:43 PDT