New Virus in the wild

• Previous message (by thread): New Virus in the wild
• Next message (by thread): New Virus in the wild
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jan 17, 2005 at 07:44:37PM +0200, Gadi Evron wrote:
> Nils Ketelsen wrote:
> > We see a lot of requests of the following format in our proxy logs:
> > 
> > 1105979310.010 240001 10.3.12.211 TCP_MISS/504
> > 1458 GET http://84.120.14.236:25204/2005/1/17/11/23/32/ - NONE/- text/html
> > 1105979314.020 240009 10.3.12.211 TCP_MISS/504
> > 1458 GET http://67.171.84.104:25238/2005/1/17/11/23/41/ - NONE/- text/html
> > 1105979316.077 240068 10.3.12.211 TCP_MISS/504
> > 1460 GET http://213.188.227.50:25401/2005/1/17/11/23/43/ - NONE/- text/html
> 
> A very important question would be: do you see these URL's on 
> ANY-HOST/permutation or SPECIFIC-HOSTS/permutation?

Good idea to look at this. According to my logs exactly 1000
IP-Addresses are tried to be accessed. After that I looked
at one example host who by then had accessed 466 addresses. Waited a few
seconds, chacked the one host again: 469 addresses.

Nevertheless the total number of accessed addresses was still
1000 (over all hosts). So I think we might have in fact  1000 Addresses
that are contacted/attacked. The complete list of contacted addresses can
be found here:

http://steering-group.net/~nils/ips.txt

Network owners might want to check if their IP-Addresses are
on the list. And if so look for increased traffic on these Addresses, in
case all infected PCs (and not only the ones I happen to be seeing) really
connect to the same addresses.

I still have no clue what is causing this, but I am pretty clueless when
it comes to Windows PCs anyway, and as you might have guessed: The PCs
making these connections are windows machines.

Nils

• Previous message (by thread): New Virus in the wild
• Next message (by thread): New Virus in the wild
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]