[Dshield] I've got it....

Paul Marsh pmarsh at nmefdn.org
Sun Aug 5 17:29:28 GMT 2001


209.61.190.91 is not one of mine, it's an external ip.

Thanx, Paul


-----Original Message-----
From: John Groseclose [mailto:iain at caradoc.org]
Sent: Sunday, August 05, 2001 12:48 PM
To: dshield at dshield.org
Subject: Re: [Dshield] I've got it....


At 10:04 AM -0400 8/5/01, Paul Marsh wrote:
>I was checking my logs this morning and found the
following....urg2001-08-04
>18:11:53 209.61.190.91 - GET /default.ida
>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X
>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
X
>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9
0
>90%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%
u
>9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 200 165 3818 63
>80 - -
>
>This is a log froma patched machine, the machine has been patched for weeks
>now????  Does anyone want or need more info?  I'd like to send these things
>to someone for analysis to find out why the patch did not stop ver.2?

Is this a log from a webserver *on* the patched machine? If so, 
you're not infected - you're just logging the attempt to connect.

Is 209.61.190.91 your machine? Or someone else's?
-- 
John Groseclose
iain at caradoc.org

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list