So I've had my servers scanning for .ida probes (They're Apache - I'm just curious) Well, after 5PM EDT, I started to see a few probes that looked different than the Code Red probe (default.ida?NNN) Here's what I've seen so far: 136.176.193.XXX - - [31/Jul/2001:16:59:39 - 0400] "GET /x.ida? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA=X HTTP/1.1" 404 280 "-" "-" [somehost].bradley.edu - - [31/Jul/2001:17:11:24 - 0400] "GET /x.ida? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA=X HTTP/1.1" 404 211 "-" "-" The interesting thing is I'm getting probed twice by each host, about 2 minutes apart. Also, it must be doing random IP generation - I have servers on numerous sequential IPs, and I have not seen the probes mve from one IP to the next. The traffic has been light (less than 10 probes so far) but given its not even 8PM yet :) Just thought I'd post - this may be totally unrelated, but it might be CRv3 - so I figured I'd post. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 15:59:06 PDT