Some web cacheing systems and sniffers take the Host: header from a HTTP request and put that as the DNS name for the incoming IP address. and whats in the codered host header? worm.com. So some things display worm.com as the incoming/outgoing (depending on what packet your viewing) request. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities |-----Original Message----- |From: Robin Stevens |[mailto:robin.stevens@computing-services.oxford.ac.uk] |Sent: Wednesday, August 01, 2001 11:07 AM |To: incidentsat_private |Subject: Re: http://www.worm.com/default.ida? requests | | |On Wed, Aug 01, 2001 at 04:36:18PM +0100, Sean Kelly wrote: |> My webcache is having a massive ammount of requests for |> http://www.worm.com/default.ida?. Is this an infected machine trying to |> scan, or is this a scanner trying to detect compromised hosts? | |On the last round, the hosts trying to access it matched almost exactly |those found to be vulnerable to Code Red. One host managed 46 million |requests over a 30 hour period. | |Once again we've got hosts hammering away at the cache with requests for |that URL, and some admins not taking them offline when asked. *sigh* | |-- |--------------- Robin Stevens <robin.stevensat_private> |----------------- |Oxford University Computing Services ----------- Web: |http://www.cynic.org.uk/ |------- (+44)(0)1865: 273212 (work) 273275 (fax) Mobile: 07776 |235326 ------- | |------------------------------------------------------------------- |--------- |This list is provided by the SecurityFocus ARIS analyzer service. |For more information on this free incident handling, management |and tracking system please see: http://aris.securityfocus.com | | ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 14:28:22 PDT