[unisog] ida worm

Paul L Schmehl pauls at utdallas.edu
Thu Jul 19 20:00:38 GMT 2001


We are as well.  Our IDS has generated over 5000 alerts since 9AM this 
morning, and they're from everywhere on the globe.  I don't expect it to 
stop until every IIS server is patched.  (Maybe never?)

--On Thursday, July 19, 2001 12:06 PM -0700 Russ Harvey 
<russ at cornucopia.ucr.edu> wrote:

>
> http://www.eeye.com/html/Research/Advisories/AD20010618.html
>
> We're getting hit with a ton of these, and the source IPs seem all over
> the map:
>
> Thu Jul 19 08:33:06    HTTP request from 207.46.239.116: GET
> /default.ida?NN... Thu Jul 19 08:53:17    HTTP request from
> 211.220.44.29: GET /default.ida?NN... Thu Jul 19 09:26:38    HTTP request
> from 63.237.136.164: GET /default.ida?NN... Thu Jul 19 09:33:14    HTTP
> request from 217.12.96.66: GET /default.ida?NN... Thu Jul 19 10:00:43
> HTTP request from 210.218.214.10: GET /default.ida?NN... Thu Jul 19
> 10:05:05    HTTP request from 63.165.102.41: GET /default.ida?NN... Thu
> Jul 19 10:40:26    HTTP request from 66.1.160.222: GET /default.ida?NN...
> Thu Jul 19 10:51:14    HTTP request from 61.155.18.78: GET
> /default.ida?NN... Thu Jul 19 10:51:53    HTTP request from
> 211.173.199.28: GET /default.ida?NN... Thu Jul 19 11:01:18    HTTP
> request from 216.114.79.35: GET /default.ida?NN... Thu Jul 19 11:01:57
> HTTP request from 209.113.64.211: GET /default.ida?NN...
>
> Anyone else getting barraged?
>
> Thanks,
> --russ
>
> -------------------------------------------------------------------------
> ------ Russ Harvey                             Internet:
> russ-harvey at ucr.edu Dept. of Computing and Communications       uucp:
> galaxy!russ
> Univ. of Calif., Riverside, CA 92521-0142  phone: (909) 787-5617



Paul L. Schmehl, pauls at utdallas.edu
http://www.utdallas.edu/~pauls/
Supervisor, Support Services
The University of Texas at Dallas
AVIEN Founding Member



More information about the unisog mailing list