Security Incidents mailing list archives
Code Red variant only from 24.x.x.x?
From: "Michael Katz" <mike () responsible com>
Date: Sat, 4 Aug 2001 12:44:14 -0700
Hi all, Beginning at 14:03 GMT and 18:57 continuing until Aug. 4, 2001, I have seen the following entry 65 times against my home server: 2001-08-04 18:47:11 24.147.178.221 GET /default.ida XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 404 604 3818 HTTP/1.0 - - Note that the character used is X instead of N as is typically seen in the Code Red worm. The code inserted, however, appears to be the same. All of the attacks have come from 24.x.x.x IP addresses, which usually indicate home cable modem users. Most of these appear be from Windows machines. Has anyone else seen this traffic? Michael Katz mike () responsible com Responsible Solutions, Ltd. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Code Red variant only from 24.x.x.x? Michael Katz (Aug 04)