New Virus in the wild
nils.ketelsen at kuehne-nagel.com
Mon Jan 17 19:20:12 UTC 2005
On Mon, Jan 17, 2005 at 07:44:37PM +0200, Gadi Evron wrote:
> Nils Ketelsen wrote:
> > We see a lot of requests of the following format in our proxy logs:
> > 1105979310.010 240001 10.3.12.211 TCP_MISS/504
> > 1458 GET http://188.8.131.52:25204/2005/1/17/11/23/32/ - NONE/- text/html
> > 1105979314.020 240009 10.3.12.211 TCP_MISS/504
> > 1458 GET http://184.108.40.206:25238/2005/1/17/11/23/41/ - NONE/- text/html
> > 1105979316.077 240068 10.3.12.211 TCP_MISS/504
> > 1460 GET http://220.127.116.11:25401/2005/1/17/11/23/43/ - NONE/- text/html
> A very important question would be: do you see these URL's on
> ANY-HOST/permutation or SPECIFIC-HOSTS/permutation?
Good idea to look at this. According to my logs exactly 1000
IP-Addresses are tried to be accessed. After that I looked
at one example host who by then had accessed 466 addresses. Waited a few
seconds, chacked the one host again: 469 addresses.
Nevertheless the total number of accessed addresses was still
1000 (over all hosts). So I think we might have in fact 1000 Addresses
that are contacted/attacked. The complete list of contacted addresses can
be found here:
Network owners might want to check if their IP-Addresses are
on the list. And if so look for increased traffic on these Addresses, in
case all infected PCs (and not only the ones I happen to be seeing) really
connect to the same addresses.
I still have no clue what is causing this, but I am pretty clueless when
it comes to Windows PCs anyway, and as you might have guessed: The PCs
making these connections are windows machines.
More information about the NANOG