CRv3?

[Wayne Conrad <wconrad () yagni com>]

Is there something new in the neighborhood?  I'm getting CodeRed looking thingies but with X's instead of N's.  I've 
seen six of these in the last hour:

64.81.87.33 - - [04/Aug/2001:06:17:55 -0700] "GET 
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
  HTTP/1.0" 404 275 "-" "-"

I'm a speakeasy customer, so it's curious that most of these are coming from Speakeasy or Covad DSL accounts.  It's 
also curious that I got hit twice from one IP -- not behavior I remember seeing from CodeRed so far.

Name: dsl081-087-033.lax1.dsl.speakeasy.net
Address: 64.81.87.33

Name: dsl081-087-033.lax1.dsl.speakeasy.net
Address: 64.81.87.33

Name: www.sacramentochats.com
Address: 64.81.62.38

Name: dsl081-081-047.lax1.dsl.speakeasy.net
Address: 64.81.81.47

Name: h-64-105-162-178.lnoclli.covad.net
Address: 64.105.162.178

Name: dsl081-156-226.chi1.dsl.speakeasy.net
Address: 64.81.156.226

Any ideas?  Is this something new, or a retread I didn't know about?

    Wayne Conrad

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com