-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 20 March 2003 5:02 am, Peer Stefan wrote:
From: Patrick Shanahan [mailto:WideGlide@MyRealBox.com] abuse@rr.com has been contacted also, but they do not want it. ... firewall: Mar 20 06:44:18 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= ... SPT=1492 DPT=80
Hmm, apparently I got you wrong in the previous mails. It's pure HTTP, and you won't get traces with netstat ...
This looks pretty much like Nimda, as long as no IIS is running (apparently never on a linux box :-) it's just filling up logs. Have a look at
One thought: since "nimda" comes from an infected SERVER (not a client) try browsing it by the advertised IP address -- you may be able to find some contact info and let the guy know directly that they have a problem. [also, if the content being served is, ummm, "questionable", then perhaps the RR folks will take notice...] - -- Yet another Blog: http://osnut.homelinux.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: http://osnut.homelinux.net/TomEmerson.asc iD8DBQE+egNTV/YHUqq2SwsRAuO8AJ9IkEwVcnvio8qYB2QRhr6qcvonCwCfdwpI zecHDwUFGXQFN9mvw7yn6oo= =Delh -----END PGP SIGNATURE-----