New Virus in the wild

Nils Ketelsen nils.ketelsen at
Mon Jan 17 19:20:12 UTC 2005

On Mon, Jan 17, 2005 at 07:44:37PM +0200, Gadi Evron wrote:
> Nils Ketelsen wrote:
> > We see a lot of requests of the following format in our proxy logs:
> > 
> > 1105979310.010 240001 TCP_MISS/504
> > 1458 GET - NONE/- text/html
> > 1105979314.020 240009 TCP_MISS/504
> > 1458 GET - NONE/- text/html
> > 1105979316.077 240068 TCP_MISS/504
> > 1460 GET - NONE/- text/html
> A very important question would be: do you see these URL's on 
> ANY-HOST/permutation or SPECIFIC-HOSTS/permutation?

Good idea to look at this. According to my logs exactly 1000
IP-Addresses are tried to be accessed. After that I looked
at one example host who by then had accessed 466 addresses. Waited a few
seconds, chacked the one host again: 469 addresses.

Nevertheless the total number of accessed addresses was still
1000 (over all hosts). So I think we might have in fact  1000 Addresses
that are contacted/attacked. The complete list of contacted addresses can
be found here:

Network owners might want to check if their IP-Addresses are
on the list. And if so look for increased traffic on these Addresses, in
case all infected PCs (and not only the ones I happen to be seeing) really
connect to the same addresses.

I still have no clue what is causing this, but I am pretty clueless when
it comes to Windows PCs anyway, and as you might have guessed: The PCs
making these connections are windows machines.


More information about the NANOG mailing list