Security Incidents mailing list archives

Code Red Scan

From: Jonathan Rickman <jonathan () xcorps net>
Date: Wed, 1 Aug 2001 12:51:42 -0400 (EDT)


Please take the following information for action...

Log entry from www.xcorps.net:
==============================

64.173.141.242 - - [01/Aug/2001:12:43:49 -0400] "GET
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u780
1%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9
090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%
u0000%u00=a HTTP/1.0" 400 252

==============================

Offender:
=========

adsl-64-173-141-242.dsl.snfc21.pacbell.net

=========


Information on the Code Red Worm can be obtained by sending email to:

code-red () xcorps net


Thank you for your prompt attention to this matter...

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Code Red Scan Jonathan Rickman (Aug 01)
- <Possible follow-ups>
- RE: Code Red Scan Richard Bradford (Aug 01)