Scanners using netcraft?

[symetrix () EARTHLINK NET (Michael Damm)]

-----BEGIN PGP SIGNED MESSAGE-----

Hello.

I helped a good friend do some basic security on this small business
webserver a while back.
Tonight I received a message from him stating that it something was
up and he didn't quite understand it.

His eth0 device was put into promisc, as I told him, an obvious sign
the box was owned somehow.

The only things I was able to dig out of the logs was:
httpd log:
195.188.192.12 - - [03/Jan/2000:00:05:46 -0800] "HEAD / HTTP/1.1" 200
0
(resolves to zanussi.netcraft.com)

then syslog:
Jan  4 15:58:54 [boxname] kernel: eth0: Setting promiscuous mode. 
Jan  4 15:58:54 [boxname] kernel: device eth0 entered promiscuous
mode 
Jan  4 15:58:55 [boxname] kernel: eth0: Setting promiscuous mode. 
Jan  4 15:58:55 [boxname] kernel: device eth0 left promiscuous mode 
(All clock times approx. 20 min off from Pacific time)

A quick run over to my favorite 0day site gave me only a local
exploit for his OS (Mandrake 6)

All daemons that were running were the latest version, and those were
minimal, taking my security advice. I cant get an exact list or any
further data right now, it appears he 'eth0 down'ed the box.

My questions for the list:
1. is netcraft.com being used it some mass scan for a httpd related
or other remote overflow?
2. Is Mandrake 6 obviously vulnerable to something I'm not aware of?

Thanks,
    Mike
    Security and stuff. Hire me.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2

iQCVAwUBOHL/IXdViB0XYAcrAQHczwP/WFqcmtLDccPI3R8LDVXsQk3IDYyFQLe9
Yfr0Yz5y5ks3493tabI2eAoUdLVRN1pqoH9wrrrs8zdRuOp3Xk3rdL2CD+dV5E+g
etheVtFnUsKSfuirUwMMpbDVrzDxsW2lrpNSUJ83Ft90hONaG89bIo00ofeHvq1m
u+pZdbX8RJw=
=N2kW
-----END PGP SIGNATURE-----