On Sun, Jun 23, 2002 at 12:45:16PM -0400, Kee Hinckley wrote: > Does anyone know what this is about? > > 80.14.144.19 - - [17/Jun/2002:17:40:42 -0400] "GET /instructions.txt HTTP/1.1" 302 332 "-" "ZOMBIES_HTTP_GET" > 80.14.144.19 - - [17/Jun/2002:17:41:16 -0400] "GET /instructions.txt HTTP/1.1" 302 332 "-" "ZOMBIES_HTTP_GET" > 67.218.5.187 - - [17/Jun/2002:18:04:11 -0400] "GET /infector.exe HTTP/1.1" 302 332 "-" "ZOMBIES_HTTP_GET" > 67.218.5.187 - - [17/Jun/2002:18:04:32 -0400] "GET /infector.exe HTTP/1.1" 302 332 "-" "ZOMBIES_HTTP_GET" > 80.14.144.19 - - [17/Jun/2002:18:23:38 -0400] "GET /instructions.txt HTTP/1.1" 302 332 "-" "ZOMBIES_HTTP_GET" > 80.14.144.19 - - [17/Jun/2002:18:24:54 -0400] "GET /instructions.txt HTTP/1.1" 302 332 "-" "ZOMBIES_HTTP_GET" > 195.131.106.186 - - [17/Jun/2002:18:25:12 -0400] "GET /instructions.txt HTTP/1.1" 302 332 "-" "ZOMBIES_HTTP_GET" > 195.131.106.186 - - [17/Jun/2002:18:28:42 -0400] "GET /instructions.txt HTTP/1.1" 302 332 "-" "ZOMBIES_HTTP_GET" > As the above ip-addresses are all dialup or cable, it looks like yet another trojan. -- patrick oonk - pine internet - patrickat_private - www.pine.nl/~patrick T:+31-70-3111010 - F:+31-70-3111011 - Read news at http://security.nl PGPid A4E74BBF fp A7CF 7611 E8C4 7B79 CA36 0BFD 2CB4 7283 A4E7 4BBF Note: my NEW PGP key is available at http://www.pine.nl/~patrick/ Excuse of the day: root rot ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 25 2002 - 08:44:34 PDT