On Fri, 11 Oct 2002 mailinglists@belfin.ch wrote:
Who's sleeping here?
Not me.
This isn't neither nimda nor code red.
I'm pretty sure it is.
This is a scan. it came from a dial up account. Nimda and Code red never came from dial up accounts.
Wrong, there were and stil are lots aof systems even of home users beeing infected with these. Though it hard be believe for Linux users, there are lots of people arounf running an IIS on a dial-up machine, often they even know that they are ruuning it. Win2000 installs IIS by default. About systems infected by Nimda please read: http://vil.nai.com/vil/content/v_99209.htm
They always came from static IP addresses.
Simply wrong. Randomly picked from my snort log: --8<-- [**] [1:1243:2] WEB-IIS ISAPI .ida attempt [**] [Classification: Web Application Attack] [Priority: 1] 08/10-03:35:37.639599 64.123.252.223:3301 -> 212.60.6.115:80 --8<-- reverse DNS: wolfgang@kiste:~> host 64.123.252.223 223.252.123.64.in-addr.arpa. domain name pointer adsl-64-123-252-223.dsl.kscymo.swbell.net. -> DSL Customer, dynamic IP, Home user wolfgang@kiste:~> host 212.60.47.97 97.47.60.212.in-addr.arpa. domain name pointer 097.catv47.bur01.lan.ch How many such entries do you want me to post to this list? Do you want me to send you my you my snort logs? You can sort the homeusers sending Nimda/Code-Red requests to my webservers out if you like. Wolfgang