('binary' encoding is not supported, stored as-is) In-Reply-To: <Pine.LNX.4.21.0305292008410.9010-100000at_private> >what is strange is that the cmd.exe / root.exe stuff is > half way through with some other code before it It doesn't look at all as if you received an HTTP request, but as if some code was sent to port 80. >the ip it hit was not mapped to anything ( I believe it > is unused) so this can not have been part of another > tcp converstion This doesn't make any sense...it has to be mapped to something, to a live machine. If it wasn't, how could the three-stage TCP handshake have been completed? As someone else mentioned, it may be a follow-on packet to Code Red. Have you gone to this machine and checked the logs? Harlan ---------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Sun Jun 01 2003 - 21:53:14 PDT