On Thu, Jul 19, 2001 at 05:11:35PM -0500, Bob Tanner wrote: > To top it all off, the source address are probably spoofed. I don't think that's so likely. HTTP reqests go over TCP, so spoofing the address would have to involve TCP sequence prediction. Given that this worm exclusively targets IIS, why would the writer bother to include sufficient complexity to do sequence prediction on Linux when something Windows-specific would be significantly easier? Also, if the theory that the deterministic set of "random" addresses was chosen such that one of them is the author's IP so that he'll know which machines are infected is correct, spoofing would defeat the purpose. (OTOH, maybe that's why I've only seen 30 of these requests instead of several thousand. I suppose there could have been thousands of attempts to infect my apache, but it only followed a Redmondian sequence progression 30 times...) -- It's as if we outlawed cars on the principle that they could be used to help crooks escape from bank robberies. - Dan Gillmore on the DMCA