On Thu, Jul 19, 2001 at 04:28:22PM -0500, Dave Sherohman wrote: > On Thu, Jul 19, 2001 at 09:16:42PM +0000, kblack at isd.net wrote: > > Is anybody else running a firewall > > (and blocking port 80) > > noticing an unusual number of attacks today? > > I've got a little more information by virtue of seeing this in my > apache logs instead of firewall logs... > > > I usually log a couple of wayward souls, but today I would > > say that number is in excess of 20 separate ip's from around > > the world. > > Sounds about right. I've logged 18 at home and 33 on the office web > server. > > > Not that this is doing anything but sucking up that > > could be put to a good use, just wanted to see if anybody > > knows if anything unusual is happening. > > Just a worm looking for copies of IIS and hoping to exploit a buffer > overflow. The requests start off with "GET /default.ida?NNNN..." and > are too large to be anything but a buffer overflow attempt. > > The only article I've been able to find about the worm is at > http://www.newsbytes.com/news/01/168003.html?&_ref=923747745 http://www.securityfocus.com/templates/headline.html?id=12004 -- Thomas Eibner <http://thomas.eibner.dk/> DnsZone <http://dnszone.org/> mod_pointer <http://stderr.net/mod_pointer>