Mark Foster
Ive had just one today, in the last half hour. None prior to that Did someone try to write a variant and screw up or maybe one of the infectees got weird?
Dunno, but I just looked and I've seen a couple, the first on Monday, and the other yesterday:: 203.154.66.42 - - [05/Aug/2001:16:44:34 +1200] "XXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190 %u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 - 203.244.70.50 - - [06/Aug/2001:18:24:12 +1200] "XXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%u cbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090% u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 - Note that not only is there no default.ida?, there's no GET either. The stuff after the filler is identical to all three variants of Code Red, so I can't see how it's could be propagating. I suspect a natural, sterile mutation. I've been graphing the attacks as they arrive here: http://www.daedalus.co.nz/~don/codered.gif Red is the old NNNN style Code Red, both the A variant and the more virulent B variant. The green is the C variant, with the X filler characters. Each bar is for a three hour period, starting Aug 1. Note the reduction in A/B attacks -- is the C variant killing off A/B somehow? -- don --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog