Rash of seemingly "old" virii

[Peter Charbonneau <Peter.Charbonneau () WILLIAMS EDU>]

I am seeing some of our student computers (to the tune of 10-12
machines) hitting various web servers, both inside and outside our
campus, requesting:

137.165.xxx.yyy - - [07/Mar/2005:09:24:06 -0500] "POST
/_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 - "-" "-"
137.165.xxx.yyy - - [07/Mar/2005:09:24:06 -0500] "POST
/_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 - "-" "-"
137.165.xxx.yyy - - [07/Mar/2005:09:24:06 -0500] "SEARCH
/
\x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x0
4H\x04H\x04H\x04H\x04H\x04H\x04H\x04H .... [thousands of characters
removed for sanity sake]

In searching the web, I find that this SEEMS to be the FrontPage
extension attack from 2-3 years ago.  I "got a hold" of a couple of
student machines that were the xxx.yyy addresses.  So far, BOTH of
these machines have AV protection running AND have updated def files.
I have run various Spyware scans using all 17,000 of our favorite
Spyware tools - nothing has come up (well, gator, but that is kinda
expected) that clues me into what is going on.

I am wondering whether any of you have seen anything like this, or
potentially have an explanation.  I am just about at my wits end trying
to counter/explain it.

*** Please note that I am posting this to BOTH the ResNet list and the
Educause Security list ***

PeteC

Peter Charbonneau
Sr. Network and Systems Administrator
Williams College
(413) 597-3408 (desk)
(413) 822-2922 (cell)

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.