[Dshield] New one?
Johannes B. Ullrich
jullrich at euclidian.com
Wed Oct 17 14:09:45 GMT 2001
-----BEGIN PGP SIGNED MESSAGE-----
It kind of looks like a vulnerability scanner, maybe nessus? I don't
remember a code red / nimda variant that uses that many vulnerabilities.
The interesting part is that it has a valid broweser ID (MSIE 5.01). Not
sure if nessus does that or not.
The source IP is most likely real, as all this requires a full three way
handshake. It is assigned to 'Solar Internet' in Brasilia, Brasil.
> this log-entrys i found today on a Apache virtual-Webserver of my company.
> Sorry, the lines are very long, but all different...
> Is this a new "Code Red" or something?
> It looks not like the "normal" CR or Nimda to me.
> The "Attacking-IP" is located in Brasil(if it is the real :-) ), we are in Germany.
> Best regards,
> Martin Mueller
> 126.96.36.199 - - [17/Oct/2001:08:10:28 +0200] "GET
> HTTP/1.1" 404 336 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows 98)"
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the list