Is there something new in the neighborhood? I'm getting CodeRed looking thingies but with X's instead of N's. I've seen six of these in the last hour:
64.81.87.33 - - [04/Aug/2001:06:17:55 -0700] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 275 "-" "-"
I'm a speakeasy customer, so it's curious that most of these are coming from Speakeasy or Covad DSL accounts. It's also curious that I got hit twice from one IP -- not behavior I remember seeing from CodeRed so far.
Name: dsl081-087-033.lax1.dsl.speakeasy.net
Address: 64.81.87.33
Name: dsl081-087-033.lax1.dsl.speakeasy.net
Address: 64.81.87.33
Name: www.sacramentochats.com
Address: 64.81.62.38
Name: dsl081-081-047.lax1.dsl.speakeasy.net
Address: 64.81.81.47
Name: h-64-105-162-178.lnoclli.covad.net
Address: 64.105.162.178
Name: dsl081-156-226.chi1.dsl.speakeasy.net
Address: 64.81.156.226
Any ideas? Is this something new, or a retread I didn't know about?
Wayne Conrad
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Aug 04 2001 - 19:44:25 PDT