CRv3? Or some other ida type

From: Mike Baptiste (mikeat_private)
Date: Tue Jul 31 2001 - 15:23:33 PDT

  • Next message: Seth Arnold: "Re: Large ISP response to Code Red?"

    So I've had my servers scanning for .ida probes 
    (They're Apache - I'm just curious)  Well, after 
    5PM EDT, I started to see a few probes that 
    looked different than the Code Red probe 
    (default.ida?NNN)
    
    Here's what I've seen so far:
    
    136.176.193.XXX - - [31/Jul/2001:16:59:39 -
    0400] "GET /x.ida?
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAA=X HTTP/1.1" 404 280 "-" "-"
    
    [somehost].bradley.edu - - [31/Jul/2001:17:11:24 -
    0400] "GET /x.ida?
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAA=X HTTP/1.1" 404 211 "-" "-"
    
    The interesting thing is I'm getting probed twice 
    by each host, about 2 minutes apart.  Also, it 
    must be doing random IP generation - I have 
    servers on numerous sequential IPs, and I have 
    not seen the probes mve from one IP to the next.
    
    The traffic has been light (less than 10 probes so 
    far) but given its not even 8PM yet :)  Just 
    thought I'd post - this may be totally unrelated, but 
    it might be CRv3 - so I figured I'd post.
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 15:59:06 PDT