nanog mailing list archives
New Virus in the wild
From: Nils Ketelsen <nils.ketelsen () kuehne-nagel com>
Date: Mon, 17 Jan 2005 11:39:12 -0500
We see a lot of requests of the following format in our proxy logs: 1105979310.010 240001 10.3.12.211 TCP_MISS/504 1458 GET http://84.120.14.236:25204/2005/1/17/11/23/32/ - NONE/- text/html 1105979314.020 240009 10.3.12.211 TCP_MISS/504 1458 GET http://67.171.84.104:25238/2005/1/17/11/23/41/ - NONE/- text/html 1105979316.077 240068 10.3.12.211 TCP_MISS/504 1460 GET http://213.188.227.50:25401/2005/1/17/11/23/43/ - NONE/- text/html The Port these clients are trying to connect to seem to be in the range between 25000 and 26000 all the time. All requests have the timestamp in the URL (/2005/1/17/11/23/43 for example). We are currently investigating together with NAI what that is. We have a bunch of internal hosts producing these requests and the numbers are rising. The load is starting to render our proxies unusable. Any hints are very welcome. Nils
Current thread:
- New Virus in the wild Nils Ketelsen (Jan 17)
- Re: New Virus in the wild Gadi Evron (Jan 17)
- Re: New Virus in the wild Nils Ketelsen (Jan 17)
- Re: New Virus in the wild Gadi Evron (Jan 17)
- Re: New Virus in the wild Gadi Evron (Jan 17)
- Re: New Virus in the wild Gadi Evron (Jan 19)
- Re: New Virus in the wild Gadi Evron (Jan 19)
- Re: New Virus in the wild Nils Ketelsen (Jan 19)
- Re: New Virus in the wild Jason Frisvold (Jan 19)
- Re: New Virus in the wild Nils Ketelsen (Jan 17)
- Re: New Virus in the wild Gadi Evron (Jan 17)