[Dshield] New signature?

John Groseclose iain at caradoc.org
Sat Aug 11 23:43:27 GMT 2001


At 4:55 PM -0500 8/11/01, Mark Martin wrote:
>I just noticed what looks like a network scan (my hosts were probed in a
>very straight-forward incrementing order) with the following signature.  Is
>this just someone cracking?
>
>08/11-12:56:55.402215 0:50:BF:1A:E5:C3 -> 0:A0:C9:AC:C8:DC type:0x800
>len:0x137
>66.92.4.240:58000 -> 192.168.1.130:80 TCP TTL:113 TOS:0x0 ID:2821 IpLen:20
>DgmLen:297 DF
>***AP*** Seq: 0x8C7EC652  Ack: 0x6020FDB6  Win: 0x4470  TcpLen: 20
>47 45 54 20 2F 78 2E 69 64 61 3F 41 41 41 41 41  GET /x.ida?AAAAA
>41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
>41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
>41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
>41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
>41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
>41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
>41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
>41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
>41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
>41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
>41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
>41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
>41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
>41 41 41 41 41 41 41 3D 58 20 48 54 54 50 2F 31  AAAAAAA=X HTTP/1
>2E 31 0A 48 6F 73 74 3A 20 65 65 79 65 0D 0A 0D  .1.Host: eeye...

That's the eEye vulnerability scanner. Some twit is scanning your 
machine/network to see if you're open to Code Red.

Looks like it's coming from dsl092-004-240.sfo1.dsl.speakeasy.net - 
there's been a LOT of this kind of thing from various Speakeasy hosts 
for the last week.

Repeated notes to abuse at speakeasy.net and suppoer at speakeasy.net have 
gone unanswered.
-- 
John Groseclose
iain at caradoc.org




More information about the list mailing list