On Tue, Aug 26, 2003 at 09:48:28AM -0000, Pall Thayer wrote: > For the past week and a half or so, I've been noticing several strange > entries in my webserver access log. Although they appear harmless, the > volume of the requests worries me a bit. Here's what they look like: > > 218.103.121.39 - - [26/Aug/2003:08:28:12 +0000] "GET / HTTP/1.1" 200 686 "-" > "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" These are likely due to the Welchi worm - it uses as an additional attack vector an old WebDAV exploit to infect IIS 5.0 web servers. Most of the descriptions of the worm I read fail to mention this, but F-Secure's does: http://www.f-secure.com/v-descs/welchi.shtml I expect the worm will result in a lot of angry customers of web hosting businesses who impose surcharges for exceeding monthly bandwidth limits. George -- theallat_private
This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 20:41:26 PDT