[Dshield] Re: Rather noisy log signature
Preston G. Simpson
preston.simpson at sfrlaw.com
Tue Jun 11 14:09:52 GMT 2002
I've seen the same scans on my little web server. The only response I
ever got from anyone on it was that the originating address was infected
with both Code Red and Nimda.
I'm a little hazy on this, but would the combination of the two cause the
signature we're talking about? The GET /galaxy_ bit doesn't seem to appear
in either worm. Could the string of digits (e.g. 44724.45070) after that
portion be a hangover from the seed used to start the scanning function?
More information about the list