[Suns-at-Home] Odd httpd error entries - probe attempts?
Matt Crawford
matt@severian.chi.il.us
Sat, 06 Oct 2001 13:30:39 -0500
> I have been seeing a strange trend in my log files that track my
> web site traffic and I want to see if anyone knows what is going on
> with it. ... Does anyone recogonize this probe?
You are one HAPPY guy if you don't know about the CodeRed and nimdA
worms *and* don't need to know. Nasty attacks on IIS servers they
are, and Nimda has several other ways of propagating, including being
viewed by Outlook Express or Internet Exploder.
> Any ideas why the addresses ALWAYS start with 216?
Because your address starts with 216, and nimdA preferentially (but
not exclusively) goes after addresses that match the current infected
platform to the first 16 or the first 8 bits.
To know more about what the poor Windoze sods are going through, look
at ciac.org, cert.org or some major anti-virus vendor.