Is there something new in the neighborhood? I'm getting CodeRed looking thingies but with X's instead of N's. I've seen six of these in the last hour: 64.81.87.33 - - [04/Aug/2001:06:17:55 -0700] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 275 "-" "-" I'm a speakeasy customer, so it's curious that most of these are coming from Speakeasy or Covad DSL accounts. It's also curious that I got hit twice from one IP -- not behavior I remember seeing from CodeRed so far. Name: dsl081-087-033.lax1.dsl.speakeasy.net Address: 64.81.87.33 Name: dsl081-087-033.lax1.dsl.speakeasy.net Address: 64.81.87.33 Name: www.sacramentochats.com Address: 64.81.62.38 Name: dsl081-081-047.lax1.dsl.speakeasy.net Address: 64.81.81.47 Name: h-64-105-162-178.lnoclli.covad.net Address: 64.105.162.178 Name: dsl081-156-226.chi1.dsl.speakeasy.net Address: 64.81.156.226 Any ideas? Is this something new, or a retread I didn't know about? Wayne Conrad ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Aug 04 2001 - 19:44:25 PDT