Stephen Reppucci wrote:
>I've got a couple of dozen this month -- not sure what the source
>is, but they definitely seem to be coming from just a few hosts.
>Also, many of mine have no URI in the request, they just seem to
>connect and not make any request.
>
>Smells like some time of worm...
>
>On Thu, 20 Sep 2001, Nick Tonkin wrote:
>
>>Hi all, sorry to bother, but has anyone else noticed a bunch of 408
>>(client timed out) requests beginning last evening?
>>
>>Some but not all of these have also been trying the Nimda exploit. Perhaps
>>Nimda (or another Micro$oft product) is screwing up the clients?
>>
>>nick@world /usr/local/apachessl/bin>perl -e
>>'open(L,"/home/nick/logs/httpd_log"); while(<L>){
>>chomp;my $r=m/408/?"4":m/cmd|root|c\+di/?"w":"";
>>if($r){$_=~s/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*/$1/;$c{$r}{$_}++;}}
>>foreach(sort{ $c{4}{$a}<=>$c{4}{$b} } keys %{ $c{4} }){
>>print"$_\t\t[$c{4}{$_}]\t[$c{w}{$_}]\n";}'
>>207.249.143.170 [1] []
>>207.160.174.25 [1] []
>>62.149.161.207 [1] []
>>62.116.29.17 [1] []
>>207.113.14.149 [1] []
>>209.129.49.65 [1] []
>>207.168.157.118 [1] []
>>207.202.38.140 [1] []
>>61.134.13.47 [1] []
>>207.113.21.89 [1] []
>>24.67.119.127 [1] []
>>209.89.119.5 [1] []
>>199.201.128.19 [1] [2]
>>207.113.25.50 [1] []
>>207.42.186.90 [1] []
>>207.113.25.249 [2] []
>>207.40.42.66 [3] []
>>207.153.76.249 [4] []
>>207.241.153.3 [5] []
>>207.12.40.51 [6] [16]
>>207.183.55.149 [6] []
>>207.217.138.18 [6] []
>>207.215.53.116 [7] []
>>207.152.93.12 [8] []
>>207.152.93.17 [8] []
>>207.77.187.76 [8] []
>>207.71.8.190 [8] [384]
>>207.32.123.115 [9] []
>>207.252.220.55 [12] []
>>207.228.113.164 [12] []
>>207.242.45.234 [12] []
>>207.71.105.133 [13] [112]
>>207.30.192.101 [14] []
>>207.248.190.158 [15] []
>>207.105.76.201 [15] []
>>207.215.126.141 [15] []
>>207.232.253.221 [16] []
>>207.245.74.7 [16] []
>>206.221.254.59 [16] []
>>207.97.117.43 [16] []
>>207.208.128.185 [16] []
>>207.203.42.126 [16] []
>>207.190.221.23 [16] []
>>207.227.70.194 [16] []
>>207.127.178.25 [16] []
>>207.178.85.42 [16] []
>>207.153.199.78 [16] []
>>207.153.229.122 [16] []
>>207.236.169.100 [16] []
>>207.88.22.128 [16] []
>>207.252.1.68 [16] []
>>207.170.35.143 [16] []
>>207.212.64.137 [16] []
>>207.76.239.206 [16] []
>>207.196.218.5 [16] []
>>207.137.76.119 [17] []
>>207.71.228.1 [91] [274]
>>
>>
>>
>>~~~~~~~~~~~
>>Nick Tonkin
>>
>
ive got around 30 too
this is on my adsl box
mostly on the 18th
