Did you try a browser erquest to that IP address? The only IP address
you gave. I think you messed up the "range" thing, because they're both
the same IP.
Anyway, I browsed to that site, and an .ASX (Windows Media Player) file
popped up automatically. Something is wrong there.
I would say it was Nimda, or Code Red, but the server Isn't IIS. It's a
Cougar (never heard of it) Web Server.
The host name is h216-106-166-141.ibeam.com.
Ibeam is a place where companies, and whatever can broadcast Netmeeting
Conferences, etc...
That would be my first place of contact.
Technical Contact:
iBeam Hostmaster (IH598-ORG) [EMAIL PROTECTED]
iBeam Broadcasting
645 Almanor Ave.
Suite 100
Sunnyvale , CA 94086
US
(408) 523-1700
Fax- (408) 730-0262
Hope this helps.
-Fab
--
Fab Siciliano CCSA
Networks and Security
Optium Corporation
Tel.215.712.6200 Ext.312
http://www.optiumcorp.com
--
-----Original Message-----
From: Seth Keller [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 21, 2001 3:39 PM
To: <@securityfocus.com
Subject: Has Anyone seen this?
I don't think my first post made it through, so here goes again. Our
web server has been completely bombarded for about four hours now by a
specific range of IP addresses. Our T1 line has been at 100% capacity
during this ordeal. We are receiving around 250 packets per second from
a range of IPs that I cannot completely trace.
The range is 216.106.166.141 through 216.106.166.141. All packets
appear to be legit http requests for port 80. The requests cycle
through from one IP after the next and then the cycle starts over. I
have tried using http://www.network-tools.com to trace the numbers to no
avail. I can only get within the last five nodes before the trace times
out.
Does anyone have any ideas what this may be? I'm thinking maybe a new
worm or a DOS but I'm not sure yet. Thanks in advance.
Seth Keller
Culver Community Schools
A+/N+/CIW
Intel Certified Integration Specialist 2000/2001
