[Dshield] Re: Rather noisy log signature

Preston G. Simpson preston.simpson at sfrlaw.com
Tue Jun 11 14:09:52 GMT 2002


	I've seen the same scans on my little web server. The only response I
ever got from anyone on it was that the originating address was infected
with both Code Red and Nimda.
	I'm a little hazy on this, but would the combination of the two cause the
signature we're talking about? The GET /galaxy_ bit doesn't seem to appear
in either worm. Could the string of digits (e.g. 44724.45070) after that
portion be a hangover from the seed used to start the scanning function? 





More information about the list mailing list