Re: strange web traffic
From: George Theall (theall_at_tifaware.com)
Date: 08/26/03
- Previous message: Andrew McKnight: "RE: Can anyone identify this possible backdoor?"
- In reply to: Pall Thayer: "strange web traffic"
- Next in thread: Etaoin Shrdlu: "Re: strange web traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 26 Aug 2003 12:09:03 -0400 To: Pall Thayer <pall@fa.is>
On Tue, Aug 26, 2003 at 09:48:28AM -0000, Pall Thayer wrote:
> For the past week and a half or so, I've been noticing several strange
> entries in my webserver access log. Although they appear harmless, the
> volume of the requests worries me a bit. Here's what they look like:
>
> 218.103.121.39 - - [26/Aug/2003:08:28:12 +0000] "GET / HTTP/1.1" 200 686 "-"
> "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
These are likely due to the Welchi worm - it uses as an additional
attack vector an old WebDAV exploit to infect IIS 5.0 web servers. Most
of the descriptions of the worm I read fail to mention this, but
F-Secure's does:
http://www.f-secure.com/v-descs/welchi.shtml
I expect the worm will result in a lot of angry customers of web hosting
businesses who impose surcharges for exceeding monthly bandwidth limits.
George
-- theall@tifaware.com
- application/pgp-signature attachment: stored
- Previous message: Andrew McKnight: "RE: Can anyone identify this possible backdoor?"
- In reply to: Pall Thayer: "strange web traffic"
- Next in thread: Etaoin Shrdlu: "Re: strange web traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
