I run 4 totally separate web servers
accessible from the outside world
using Apache/Linux (and 3 more that
are firewalled)
One of them has 409 of these since it
started getting them on the 20th July
(and I haven't bothered to check the
others :-)
There are 408 different IP addresses,
though I also guess that they are not
the originating IP addresses
(hmmm - 1 duplicate)
I would guess that the encoded hex after
the "NNNNNNNNNNNNN" is what matters on
an IIS server (but it may be IIS version
specific?)
Damn shame :-)
Annoying though - sigh
I run tcpdump on all incoming and outgoing
packets on my network (with a snarflen of 200)
Anyone got any suggestions on what I could
find out from the incoming packets?
I've never taken any interest in packets
with fake addresses since mostly they end
up going out to the wrong address and
thus get ignored anyway
-Cheers
-Andrew
--
MS ... if only he hadn't been hang gliding!
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sat, 04 Aug 2001 00:17, you wrote:
>> I take it this is that red worm virus trying to hit me?
>>
>> 61.24.45.197 - - [03/Aug/2001:05:55:43 -0500] "GET
>> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
>>N NNNNNNNNNNNNNNNNNNNNN
> [snip]
>
> I'm not sure what it is but I average 15+ per day at the moment on my
> server. I've tried hitting one of my IIS servers with the string and
> get the following response displayed in the web browser.
>
> [ERROR]
> the parameter is incorrect.
>
> However this is from a "default.ida" that doesn't even exist on the
> server anywhere... Thankfully the IIS server I have does not run live
> and is only used for development for customers. Who knows what could
> happen.
>
>
> - --
> Best Regards
> Craig Jansen
> PH: +64 21 144 1851 FAX: +64 6 323 2060 L-ICQ: 9919767
_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list
