Subject: Re(2): Security Issues...
From: Jonathan Mergy (mergy@natus.com)
Date: Mon Aug 13 2001 - 22:11:47 MDT
The 'default.ida?xxxx' are Code Red. They are looking to infect other MS
IIS-running webservers. Join the club on getting pounded by them.
http://www.cert.org/advisories/CA-2001-23.html
yellowdog-general@lists.yellowdoglinux.com writes:
>
>4.21.22.189 - - [12/Aug/2001:04:11:52 -0400] "GET
>/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX$
>24.182.1.195 - - [12/Aug/2001:04:27:09 -0400] "GET
>/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX$
>24.254.41.153 - - [12/Aug/2001:04:30:07 -0400] "GET
>/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX$
>24.12.7.35 - - [12/Aug/2001:04:35:02 -0400] "GET
>/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX$
>24.182.165.183 - - [12/Aug/2001:04:38:24 -0400] "GET
>/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX$
>24.182.60.67 - - [12/Aug/2001:05:00:24 -0400] "GET
>
>There are lots of entries like this from different IP addresses.
>
>One had this... 63.236.92.153 - - [12/Aug/2001:17:58:47 -0400] "GET
>/robots.txt HTTP/1.0" 404 275
>
>A regular hit to the page looks like this:
>130.126.28.63 - - [12/Aug/2001:18:55:11 -0400] "GET / HTTP/1.0" 200 868
>130.126.28.63 - - [12/Aug/2001:18:55:11 -0400] "GET
>/icons/apache_pb.gif HTTP/1.0" 200 2326
>130.126.28.63 - - [12/Aug/2001:18:55:11 -0400] "GET /poweredby.png
>HTTP/1.0" 200 1783
>130.126.28.63 - - [12/Aug/2001:18:55:45 -0400] "GET / HTTP/1.0" 200 191
-------------------
jonathan mergy
mergy@natus.com
This archive was generated by hypermail 2a24 : Mon Aug 13 2001 - 21:20:26 MDT