New Virus in the wild
Nils Ketelsen
nils.ketelsen at kuehne-nagel.com
Mon Jan 17 19:20:12 UTC 2005
On Mon, Jan 17, 2005 at 07:44:37PM +0200, Gadi Evron wrote:
> Nils Ketelsen wrote:
> > We see a lot of requests of the following format in our proxy logs:
> >
> > 1105979310.010 240001 10.3.12.211 TCP_MISS/504
> > 1458 GET http://84.120.14.236:25204/2005/1/17/11/23/32/ - NONE/- text/html
> > 1105979314.020 240009 10.3.12.211 TCP_MISS/504
> > 1458 GET http://67.171.84.104:25238/2005/1/17/11/23/41/ - NONE/- text/html
> > 1105979316.077 240068 10.3.12.211 TCP_MISS/504
> > 1460 GET http://213.188.227.50:25401/2005/1/17/11/23/43/ - NONE/- text/html
>
> A very important question would be: do you see these URL's on
> ANY-HOST/permutation or SPECIFIC-HOSTS/permutation?
Good idea to look at this. According to my logs exactly 1000
IP-Addresses are tried to be accessed. After that I looked
at one example host who by then had accessed 466 addresses. Waited a few
seconds, chacked the one host again: 469 addresses.
Nevertheless the total number of accessed addresses was still
1000 (over all hosts). So I think we might have in fact 1000 Addresses
that are contacted/attacked. The complete list of contacted addresses can
be found here:
http://steering-group.net/~nils/ips.txt
Network owners might want to check if their IP-Addresses are
on the list. And if so look for increased traffic on these Addresses, in
case all infected PCs (and not only the ones I happen to be seeing) really
connect to the same addresses.
I still have no clue what is causing this, but I am pretty clueless when
it comes to Windows PCs anyway, and as you might have guessed: The PCs
making these connections are windows machines.
Nils
More information about the NANOG
mailing list