I have been seeing an increase of requests like this on our logfiles.
At 09:54 AM 9/18/2001 -0400, you wrote:
>Heads up. Pay attention to your servers today. I just started detecting a
>*ton* of these requests. I think it's a follow-up worm programmed to take
>advantage of the backdoors Code Red dropped on infected computers. Maybe a
>Code Red III?
>
>The following log items are from NukeNabber running on my local machine.
>Anyone else seen anything about this? I just noticed it.
>
>-Cameron
>
>--------------------
>Cameron Childress
>elliptIQ Inc.
>p.770.460.1035.232
>f.770.460.0963
>--
>http://www.neighborware.com
>America's Leading Community Network Software
>
>
>
>[09/18/2001 09:25:55.136 GMT-0400] Connection: dhcp181.onewebsystems.com
>(130.205.102.181) on port 80 (tcp).
>[09/18/2001 09:25:55.166 GMT-0400] GET /scripts/root.exe?/c+dir HTTP/1.0
>Host: www
>Connnection: close
>
>
>[09/18/2001 09:25:55.176 GMT-0400] Port 80 (tcp) is now disabled for 60
>seconds.
>[09/18/2001 09:26:55.182 GMT-0400] Port 80 (tcp) is re-enabled.
>[09/18/2001 09:34:39.600 GMT-0400] Connection: anhb.uwa.edu.au
>(130.95.96.22) on port 80 (tcp).
>[09/18/2001 09:34:39.630 GMT-0400] GET /scripts/root.exe?/c+dir HTTP/1.0
>Host: www
>Connnection: close
>
>
>[09/18/2001 09:34:39.640 GMT-0400] Port 80 (tcp) is now disabled for 60
>seconds.
>[09/18/2001 09:35:38.865 GMT-0400] Port 80 (tcp) is re-enabled.
>[09/18/2001 09:36:24.681 GMT-0400] Connection: OWSAFCE (130.205.102.205) on
>port 80 (tcp).
>[09/18/2001 09:36:24.711 GMT-0400] GET /scripts/root.exe?/c+dir HTTP/1.0
>Host: www
>Connnection: close
>
>
>[09/18/2001 09:36:24.721 GMT-0400] Port 80 (tcp) is now disabled for 60
>seconds.
>[09/18/2001 09:37:24.016 GMT-0400] Port 80 (tcp) is re-enabled.
>[09/18/2001 09:39:18.100 GMT-0400] Connection: OWSJPA (130.205.102.192) on
>port 80 (tcp).
>[09/18/2001 09:39:18.130 GMT-0400] GET /scripts/root.exe?/c+dir HTTP/1.0
>Host: www
>Connnection: close
>
>
>[09/18/2001 09:39:18.140 GMT-0400] Port 80 (tcp) is now disabled for 60
>seconds.
>[09/18/2001 09:40:17.265 GMT-0400] Port 80 (tcp) is re-enabled.
>[09/18/2001 09:40:44.965 GMT-0400] Connection: dhcp181.onewebsystems.com
>(130.205.102.181) on port 80 (tcp).
>[09/18/2001 09:40:44.995 GMT-0400] GET /scripts/root.exe?/c+dir HTTP/1.0
>Host: www
>Connnection: close
>
>
>[09/18/2001 09:40:45.005 GMT-0400] Port 80 (tcp) is now disabled for 60
>seconds.
>[09/18/2001 09:41:44.391 GMT-0400] Port 80 (tcp) is re-enabled.
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Your ad could be here. Monies from ads go to support these lists and provide more
resources for the community. http://www.fusionauthority.com/ads.cfm
Archives: http://www.mail-archive.com/cf-community@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
