Fwd: Re: please read: very odd network traffic
-- Forwarded Message -- there's more though. but again i'm not sure.. for the first time i've seen a few odd requests being logged in boa, just a small snippet: [07/Aug/2001:06:26:03 +] request from 195.38.105.70 GET /default.ida? X X XX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u780 1%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u%u00=a HTTP/1.0 (/var/www/default.ida): document open: No such file or directory [07/Aug/2001:07:13:08 +] bogus HTTP version: HTTP/1.0 [07/Aug/2001:07:43:15 +] bogus HTTP version: HTTP/1.0 [07/Aug/2001:07:59:05 +] malformed request: %u9090%u6858%ucbd3%u7801%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b %u53ff%u0078%u%u00=a HTTP/1.1 [07/Aug/2001:08:17:28 +] request from 195.38.44.138 GET /default.ida? X X XX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u780 1%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u%u00=a HTTP/1.0 (/var/www/default.ida): document open: No such file or directory [07/Aug/2001:08:31:51 +] bogus HTTP version: HTTP/1.0 [07/Aug/2001:08:57:30 +] bogus HTTP version: HTTP/1.0 [07/Aug/2001:09:08:55 +] bogus HTTP version: HTTP/1.0 [07/Aug/2001:09:13:38 +] bogus HTTP version: HTTP/1.0 [07/Aug/2001:09:20:26 +] bogus HTTP version: HTTP/1.0 [07/Aug/2001:09:29:23 +] bogus HTTP version: HTTP/1.0 this all seems rather coincedential.. and seems to confirm my idea of being infected with a virus/worm.. hope this helps (me, heh.. :) On Tuesday 07 August 2001 18:40, William Leese wrote: I think my machine has been compromised though i'm not entirely sure. I suddenly saw a reasonable amount of traffic when I wasn't going anything that could generate it so I turned off all the net connection using applications and still there was traffic. Opened top to see if there was a process that wasn't terminated yet, nope.. that wasn't it. Turned off networking. Tried netstat -ap and found to my great dismay that inetd had started the ftp service or atleast that port was available. I accidentally installed wu-ftp awhile ago but i thought i had removed it.. oh well. So, commented it out and restarted inetd. no luck.. the moment i started the networking script there was traffic. Turned off networking. But not before using Ethereal to capture a few packets. I've added an attachment with the log, could someone take a look at it and tell me what could be causing this.. it would seem like something (a worm or virus) is scanning the network looking for (vulnerable?) computers. ---
Re: Fwd: Re: please read: very odd network traffic
On Tue, Aug 07, 2001 at 06:53:38PM +0200, William Leese wrote: there's more though. but again i'm not sure.. for the first time i've seen a few odd requests being logged in boa, just a small snippet: [07/Aug/2001:06:26:03 +] request from 195.38.105.70 GET /default.ida? X X XX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u780 1%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u%u00=a HTTP/1.0 (/var/www/default.ida): document open: No such file or directory Code Red Mk. II. See any of the recent Code Red threads or incidents.org for more information. -- With the arrest of Dimitry Sklyarov it has become apparent that it is not safe for non US software engineers to visit the United States. - Alan Cox To prevent unauthorized reading... - Adobe eBook reader license
Re: Fwd: Re: please read: very odd network traffic
On Tuesday 07 August 2001 18:59, Dave Sherohman wrote: On Tue, Aug 07, 2001 at 06:53:38PM +0200, William Leese wrote: there's more though. but again i'm not sure.. for the first time i've seen a few odd requests being logged in boa, just a small snippet: [07/Aug/2001:06:26:03 +] request from 195.38.105.70 GET /default.ida? X X XX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u780 1%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u%u00=a HTTP/1.0 (/var/www/default.ida): document open: No such file or directory Code Red Mk. II. See any of the recent Code Red threads or incidents.org for more information. Thanks to those who replied. This is a little starteling. Although the meter rarely goes above 2.6K it's constant. Not something I'd fear bring the internet to it's knees but it's nothing i've seen before on my home connection.
Re: Fwd: Re: please read: very odd network traffic
On Tue, 7 Aug 2001, William Leese wrote: On Tuesday 07 August 2001 18:59, Dave Sherohman wrote: On Tue, Aug 07, 2001 at 06:53:38PM +0200, William Leese wrote: there's more though. but again i'm not sure.. for the first time i've seen a few odd requests being logged in boa, just a small snippet: [07/Aug/2001:06:26:03 +] request from 195.38.105.70 GET /default.ida? X X XX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u780 1%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u%u00=a HTTP/1.0 (/var/www/default.ida): document open: No such file or directory Code Red Mk. II. See any of the recent Code Red threads or incidents.org for more information. Thanks to those who replied. This is a little starteling. Although the meter rarely goes above 2.6K it's constant. Not something I'd fear bring the internet to it's knees but it's nothing i've seen before on my home connection. Multiply it out by 100 threads per CR worm and the thousands of CR carriers now. It WILL probably bring the Internet to its knees if some IIS admins don't start pulling their heads out. -- There is no problem so great that it cannot be solved with suitable application of High Explosives. Who is John Galt? [EMAIL PROTECTED], that's who!