New Virus in the wild

• Previous message (by thread): netblazer Was: baiting
• Next message (by thread): New Virus in the wild
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We see a lot of requests of the following format in our proxy logs:

1105979310.010 240001 10.3.12.211 TCP_MISS/504
1458 GET http://84.120.14.236:25204/2005/1/17/11/23/32/ - NONE/- text/html
1105979314.020 240009 10.3.12.211 TCP_MISS/504
1458 GET http://67.171.84.104:25238/2005/1/17/11/23/41/ - NONE/- text/html
1105979316.077 240068 10.3.12.211 TCP_MISS/504
1460 GET http://213.188.227.50:25401/2005/1/17/11/23/43/ - NONE/- text/html


The Port these clients are trying to connect to seem to be
in the range between 25000 and 26000 all the time. All requests have the
timestamp in the URL (/2005/1/17/11/23/43 for example). We are currently
investigating together with NAI what that is.

We have a bunch of internal hosts producing these requests and the numbers
are rising. The load is starting to render our proxies unusable.

Any hints are very welcome.

Nils

• Previous message (by thread): netblazer Was: baiting
• Next message (by thread): New Virus in the wild
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]