On Friday 11 October 2002 13:28, mailinglists@belfin.ch wrote:
Who's sleeping here? This isn't neither nimda nor code red. This is a scan. it came from a dial up account. Nimda and Code red never came from dial up accounts. They always came from static IP addresses.
Why nimda or code red _must_ come from static ip addresses? Think of IIS installed on WinPCs which are 24/7 up and accessible via DynDNS names. Such systems are vulnerable too...
We have do differentate between dhcp assigned ip addresses to always online internet links and old fashioned dial up accounts. The source of our scan looks very much like a dial up account: dig -x ip.address: 90.99.11.217.in-addr.arpa. 86383 IN PTR dialup-90.iberbanda.es. I've seen a lot of logs dealing with nimda and code red a year ago. But I never saw this coming from a dial up link. Philipp