On Mon, Jan 17, 2005 at 07:44:37PM +0200, Gadi Evron wrote:
Nils Ketelsen wrote:
We see a lot of requests of the following format in our proxy logs:
1105979310.010 240001 10.3.12.211 TCP_MISS/504 1458 GET http://84.120.14.236:25204/2005/1/17/11/23/32/ - NONE/- text/html 1105979314.020 240009 10.3.12.211 TCP_MISS/504 1458 GET http://67.171.84.104:25238/2005/1/17/11/23/41/ - NONE/- text/html 1105979316.077 240068 10.3.12.211 TCP_MISS/504 1460 GET http://213.188.227.50:25401/2005/1/17/11/23/43/ - NONE/- text/html
A very important question would be: do you see these URL's on ANY-HOST/permutation or SPECIFIC-HOSTS/permutation?
Good idea to look at this. According to my logs exactly 1000 IP-Addresses are tried to be accessed. After that I looked at one example host who by then had accessed 466 addresses. Waited a few seconds, chacked the one host again: 469 addresses. Nevertheless the total number of accessed addresses was still 1000 (over all hosts). So I think we might have in fact 1000 Addresses that are contacted/attacked. The complete list of contacted addresses can be found here: http://steering-group.net/~nils/ips.txt Network owners might want to check if their IP-Addresses are on the list. And if so look for increased traffic on these Addresses, in case all infected PCs (and not only the ones I happen to be seeing) really connect to the same addresses. I still have no clue what is causing this, but I am pretty clueless when it comes to Windows PCs anyway, and as you might have guessed: The PCs making these connections are windows machines. Nils