Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: .ida Intrusion Attempt

From: "Ulrich Keil" <ulrichk () der-keiler de>
Date: Thu, 19 Jul 2001 23:34:03 -0000
I think the reason for this is that the Worm just does an connect to
randomIP:80.

If your "Default-Web" (Don't know how it's called on NT) on every IP-Adress is
www.domain.com, the you just get hit on your www. Web, and not on the other
Webs, which are (possibly) on the same IP.

Ulrich Keil

Linux/UNIX SysAdmin

-----Original Message----- 
From: Colby Rice [mailto:crice_at_180096hotel.com] 
Sent: Thursday, July 19, 2001 1:29 PM 
Cc: incidents_at_securityfocus.com; focus-ids_at_securityfocus.com 
Subject: RE: .ida Intrusion Attempt 

Has anyone else noticed that it is only hitting www. servers? or am I 
just lucky? I am getting many many attempts but ONLY on my 
www.<whatever> servers I DO have servers with port 80 open to the 
outside world that ARE NOT getting hit. from everything I have read on 
this worm it is picking its IP's at random and if that is the case then 
I should have been hit on something OTHER then these (few) www. 
servers.. 

(or am I missing something?) 

                CR 





----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: