Security Incidents mailing list archives
Re: http://www.worm.com/default.ida? requests
From: Robin Stevens <robin.stevens () computing-services oxford ac uk>
Date: Wed, 1 Aug 2001 19:07:21 +0100
On Wed, Aug 01, 2001 at 04:36:18PM +0100, Sean Kelly wrote:
My webcache is having a massive ammount of requests for http://www.worm.com/default.ida?. Is this an infected machine trying to scan, or is this a scanner trying to detect compromised hosts?
On the last round, the hosts trying to access it matched almost exactly those found to be vulnerable to Code Red. One host managed 46 million requests over a 30 hour period. Once again we've got hosts hammering away at the cache with requests for that URL, and some admins not taking them offline when asked. *sigh* -- --------------- Robin Stevens <robin.stevens () oucs ox ac uk> ----------------- Oxford University Computing Services ----------- Web: http://www.cynic.org.uk/ ------- (+44)(0)1865: 273212 (work) 273275 (fax) Mobile: 07776 235326 ------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- http://www.worm.com/default.ida? requests Sean Kelly (Aug 01)
- Re: http://www.worm.com/default.ida? requests Robin Stevens (Aug 01)
- RE: http://www.worm.com/default.ida? requests Marc Maiffret (Aug 01)
- <Possible follow-ups>
- RE: http://www.worm.com/default.ida? requests Johnston, Jack (Aug 01)
- Re: http://www.worm.com/default.ida? requests Robin Stevens (Aug 01)