New Virus in the wild

Nils Ketelsen nils.ketelsen at
Mon Jan 17 16:39:12 UTC 2005

We see a lot of requests of the following format in our proxy logs:

1105979310.010 240001 TCP_MISS/504
1458 GET - NONE/- text/html
1105979314.020 240009 TCP_MISS/504
1458 GET - NONE/- text/html
1105979316.077 240068 TCP_MISS/504
1460 GET - NONE/- text/html

The Port these clients are trying to connect to seem to be
in the range between 25000 and 26000 all the time. All requests have the
timestamp in the URL (/2005/1/17/11/23/43 for example). We are currently
investigating together with NAI what that is.

We have a bunch of internal hosts producing these requests and the numbers
are rising. The load is starting to render our proxies unusable.

Any hints are very welcome.


More information about the NANOG mailing list