Code Red variant only from 24.x.x.x?

["Michael Katz" <mike () responsible com>]

Hi all,

Beginning at 14:03 GMT and 18:57 continuing until Aug. 4, 2001, I have seen the following entry 65 times against my 
home server:

2001-08-04 18:47:11 24.147.178.221 GET /default.ida 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
 404 604 3818 HTTP/1.0 - -

Note that the character used is X instead of N as is typically seen in the Code Red worm.  The code inserted, however, 
appears to be the same.

All of the attacks have come from 24.x.x.x IP addresses, which usually indicate home cable modem users.  Most of these 
appear  be from Windows machines.  Has anyone else seen this traffic?

Michael Katz
mike () responsible com
Responsible Solutions, Ltd.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com