Unicode worm?

From: Turner, Keith (Contractor) (TurnerL@tea-emh1.army.mil)
Date: Wed Aug 21 2002 - 09:41:31 PDT

  • Next message: John Sage: "Re: Unicode worm?"

      I've noticed some activity on a couple of web servers which I'm trying to
    find an explanation for.  It's been happening for about 2 months.  Here's a
    log snippet :
    [08-21-2002 - 00:56:11] Client at x.x.x.x: URL normalization was not
    complete after one pass. Request will be rejected.  Site Instance='1', Raw
     It doesn't appear to be Nimda, as it is a single request.  The web server
    IPs are within 1 ip of each other.  When one server sees the hit, the other
    server sees it within 2 seconds.  Everything I've seen says that Nimda picks
    random IPs (based on network), while this seems to be more of a scan.
    Anyone have any ideas what this may be?
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Wed Aug 21 2002 - 10:02:43 PDT