[Tue Aug 7 13:56:39 2001] [error] [client 203.199.60.10] Invalid URI in request XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u 8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0 Ive had just one today, in the last half hour. None prior to that Did someone try to write a variant and screw up or maybe one of the infectees got weird? At 13:58 7/08/2001 +1200, you wrote:
[Tue Aug 7 13:57:14 2001] [error] [client 203.228.144.15] Invalid URI in request XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Just started getting these. no default.ida?.
Has the worm turned, again?
Tim J. Shackleton ------------------+ +- Business http://www.netlink.co.nz/ Networks Admin/Programmer ----------+ +- Personal http://www.netnet.net.nz/ Netlink LTD -- DDI +64 4 922 8476 --+ +------------- Pager 64 +26 253 4356 +64 29 650 476 -- Cellular ---------+ +------------------------------------ ---- "Cold silence has a tendency to atrophy any sense of compassion" -----
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
One of the AMP machines (120 monitors in the US see http://watt.nlanr.net/ and http://amp.nlanr.net/red.html, if you're interested) has seen two of these. None of the others have seen any. There's no GET. Looks a bit like a POST.
Sun Aug 5 06:20:04 PST 2001 --.156.231.202 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u 00=a HTTP/1.0
Host: --.156.233.5 Content-type: text/xml Content-length: 3379 Cache-Control: max-stale=0 <C8><C8>^A <CD>^O<B6><C9><89><8D>T<FE><FF><FF><8B><81>~0<9A>^B s<C3>f<C7><85>p<FF><FF><FF>^B On Tue, 7 Aug 2001, Mark Foster wrote:
[Tue Aug 7 13:56:39 2001] [error] [client 203.199.60.10] Invalid URI in request XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u 8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Ive had just one today, in the last half hour. None prior to that Did someone try to write a variant and screw up or maybe one of the infectees got weird?
At 13:58 7/08/2001 +1200, you wrote:
[Tue Aug 7 13:57:14 2001] [error] [client 203.228.144.15] Invalid URI in request XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Just started getting these. no default.ida?.
Has the worm turned, again?
Tim J. Shackleton ------------------+ +- Business http://www.netlink.co.nz/ Networks Admin/Programmer ----------+ +- Personal http://www.netnet.net.nz/ Netlink LTD -- DDI +64 4 922 8476 --+ +------------- Pager 64 +26 253 4356 +64 29 650 476 -- Cellular ---------+ +------------------------------------ ---- "Cold silence has a tendency to atrophy any sense of compassion" -----
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
---------------------------------------------------------------------------- Tony McGregor Mail: T.McGregor(a)cs.waikato.ac.nz Department of Computer Science Phone: +64 7 838 4651 Waikato University Fax: +64 7 858 5095 Private Bag 3105 Home: +64 7 825 5040 mobile: (021)313004 Hamilton, New Zealand www: http://www.cs.waikato.ac.nz/~tonym ---------------------------------------------------------------------------- --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
Mark Foster
Ive had just one today, in the last half hour. None prior to that Did someone try to write a variant and screw up or maybe one of the infectees got weird?
Dunno, but I just looked and I've seen a couple, the first on Monday, and the other yesterday:: 203.154.66.42 - - [05/Aug/2001:16:44:34 +1200] "XXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3% u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190 %u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 - 203.244.70.50 - - [06/Aug/2001:18:24:12 +1200] "XXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%u cbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090% u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 - Note that not only is there no default.ida?, there's no GET either. The stuff after the filler is identical to all three variants of Code Red, so I can't see how it's could be propagating. I suspect a natural, sterile mutation. I've been graphing the attacks as they arrive here: http://www.daedalus.co.nz/~don/codered.gif Red is the old NNNN style Code Red, both the A variant and the more virulent B variant. The green is the C variant, with the X filler characters. Each bar is for a three hour period, starting Aug 1. Note the reduction in A/B attacks -- is the C variant killing off A/B somehow? -- don --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
The "Worm" seems to attack from ranges around your own.. For Example on a network I am looking at its getting about 4Hits/sec! mostly from 210.X.X.X addresses (and I'm on a 210.X.X.X network) Thanks Craig --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
On Tue, Aug 07, 2001 at 03:17:20PM +1200, Craig Whitmore wrote: The "Worm" seems to attack from ranges around your own.. For Example on a network I am looking at its getting about 4Hits/sec! mostly from 210.X.X.X addresses (and I'm on a 210.X.X.X network) Yes.. the logic being, "where there is one evil machine, there might be more" --- reasonable and probably quite effective I should think. --cw --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
participants (5)
-
Chris Wedgwood -
Craig Whitmore -
Don Stokes -
Mark Foster -
Tony McGregor