Security Incidents mailing list archives
RE: http://www.worm.com/default.ida? requests
From: "Marc Maiffret" <marc () eeye com>
Date: Wed, 1 Aug 2001 13:37:54 -0700
Some web cacheing systems and sniffers take the Host: header from a HTTP request and put that as the DNS name for the incoming IP address. and whats in the codered host header? worm.com. So some things display worm.com as the incoming/outgoing (depending on what packet your viewing) request. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities |-----Original Message----- |From: Robin Stevens |[mailto:robin.stevens () computing-services oxford ac uk] |Sent: Wednesday, August 01, 2001 11:07 AM |To: incidents () securityfocus com |Subject: Re: http://www.worm.com/default.ida? requests | | |On Wed, Aug 01, 2001 at 04:36:18PM +0100, Sean Kelly wrote: |> My webcache is having a massive ammount of requests for |> http://www.worm.com/default.ida?. Is this an infected machine trying to |> scan, or is this a scanner trying to detect compromised hosts? | |On the last round, the hosts trying to access it matched almost exactly |those found to be vulnerable to Code Red. One host managed 46 million |requests over a 30 hour period. | |Once again we've got hosts hammering away at the cache with requests for |that URL, and some admins not taking them offline when asked. *sigh* | |-- |--------------- Robin Stevens <robin.stevens () oucs ox ac uk> |----------------- |Oxford University Computing Services ----------- Web: |http://www.cynic.org.uk/ |------- (+44)(0)1865: 273212 (work) 273275 (fax) Mobile: 07776 |235326 ------- | |------------------------------------------------------------------- |--------- |This list is provided by the SecurityFocus ARIS analyzer service. |For more information on this free incident handling, management |and tracking system please see: http://aris.securityfocus.com | | ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- http://www.worm.com/default.ida? requests Sean Kelly (Aug 01)
- Re: http://www.worm.com/default.ida? requests Robin Stevens (Aug 01)
- RE: http://www.worm.com/default.ida? requests Marc Maiffret (Aug 01)
- <Possible follow-ups>
- RE: http://www.worm.com/default.ida? requests Johnston, Jack (Aug 01)
- Re: http://www.worm.com/default.ida? requests Robin Stevens (Aug 01)