[Snip]
dig -x ip.address:
90.99.11.217.in-addr.arpa. 86383 IN PTR
dialup-90.iberbanda.es.
I've seen a lot of logs dealing with nimda and code red a year ago.
But I
never saw this coming from a dial up link.
I saw several attempts from dsl and dial up.
I have a 24/7 DSL-linked Linuxserver and I have this Code-Red requests all the time mostly from other DSL-Dial-In Computers in similar Ip-Ranges (like my Server).
Anyway it does not affect any linux-box! Any responsible admin will not tolerate those insecure iis and use apache (even with or without asp)!
Code Red does not differ between Static or dynamic Ips as long as it can infect them.. and there are plenty poorly adiminstrated Windoze Boxes out there.
Like said before in some mails it must not be code red or nimda, maybe an attempt to get system-access to iis or script kiddies. I got the same with apache, sometimes there were attempts to access linux-binaries without success because of my config. For that purpose use different folders e.g. /usr/local/httpd/apache instead of /usr/local/httpd or /var/www [...]. I would be more concerned about latest vulnerabilities of apache.
So: it's a code red - guess how long these systems must be unpatched.
It's only poor to see how badly the knowledge of those m$ users is! :-( Maybe not, code red seems for me to look different. Even if it is Code Red - you should be running apache and why then be concerned about this attempts, that do not effect your server (I think you are running apache, don't you?)? If you got iis make some acl's in your reverse proxy will help filter all nasty requests and don't effect your system(s)! Philippe