Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http://www.worm.com/default.ida? requests

From: Robin Stevens <robin.stevens () computing-services oxford ac uk>
Date: Wed, 1 Aug 2001 19:07:21 +0100
On Wed, Aug 01, 2001 at 04:36:18PM +0100, Sean Kelly wrote:

      My webcache is having a massive ammount of requests for
http://www.worm.com/default.ida?.  Is this an infected machine trying to
scan, or is this a scanner trying to detect compromised hosts?


On the last round, the hosts trying to access it matched almost exactly
those found to be vulnerable to Code Red.  One host managed 46 million
requests over a 30 hour period.

Once again we've got hosts hammering away at the cache with requests for
that URL, and some admins not taking them offline when asked.  *sigh*  

-- 
--------------- Robin Stevens  <robin.stevens () oucs ox ac uk> -----------------
Oxford University Computing Services ----------- Web: http://www.cynic.org.uk/
------- (+44)(0)1865: 273212 (work) 273275 (fax)  Mobile: 07776 235326 -------

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: