Security Incidents: CRv3? Or some other ida type

[Mike Baptiste <mike () msbnetworks com>]

So I've had my servers scanning for .ida probes 
(They're Apache - I'm just curious)  Well, after 
5PM EDT, I started to see a few probes that 
looked different than the Code Red probe 
(default.ida?NNN)

Here's what I've seen so far:

136.176.193.XXX - - [31/Jul/2001:16:59:39 -
0400] "GET /x.ida?
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA=X HTTP/1.1" 404 280 "-" "-"

[somehost].bradley.edu - - [31/Jul/2001:17:11:24 -
0400] "GET /x.ida?
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA=X HTTP/1.1" 404 211 "-" "-"

The interesting thing is I'm getting probed twice 
by each host, about 2 minutes apart.  Also, it 
must be doing random IP generation - I have 
servers on numerous sequential IPs, and I have 
not seen the probes mve from one IP to the next.

The traffic has been light (less than 10 probes so 
far) but given its not even 8PM yet :)  Just 
thought I'd post - this may be totally unrelated, but 
it might be CRv3 - so I figured I'd post.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com