New Virus in the wild
Nils Ketelsen
nils.ketelsen at kuehne-nagel.com
Mon Jan 17 16:39:12 UTC 2005
We see a lot of requests of the following format in our proxy logs:
1105979310.010 240001 10.3.12.211 TCP_MISS/504
1458 GET http://84.120.14.236:25204/2005/1/17/11/23/32/ - NONE/- text/html
1105979314.020 240009 10.3.12.211 TCP_MISS/504
1458 GET http://67.171.84.104:25238/2005/1/17/11/23/41/ - NONE/- text/html
1105979316.077 240068 10.3.12.211 TCP_MISS/504
1460 GET http://213.188.227.50:25401/2005/1/17/11/23/43/ - NONE/- text/html
The Port these clients are trying to connect to seem to be
in the range between 25000 and 26000 all the time. All requests have the
timestamp in the URL (/2005/1/17/11/23/43 for example). We are currently
investigating together with NAI what that is.
We have a bunch of internal hosts producing these requests and the numbers
are rising. The load is starting to render our proxies unusable.
Any hints are very welcome.
Nils
More information about the NANOG
mailing list