could there be a new version of the virus that is starting to spread? this is the only hit I have under this format.
8/6/01 21:03:27 - NON AUTHORIZED IP 24.10.xx.xx(ccxxxxxx-a.taylor1.mi.home.com) GET /x.ida?aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=x Status Code 403 688 Bytes Outbound 265 Bytes Inbound [Refrence Number 1185]
I have xx's out portions of the IP for the "protection" of the owner of this machine.
Brian Network Administrator Round Grove Machine Corp.
Steve I know your IP address Consultant join:2001-03-10 Yorba Linda, CA kudos:5
said by ntwrkguy: GET /x.ida?aaaaa....aaa=x
This looks very much like the eEye Code Red Scanner tool (though I believe they use A instead of a). I'm quite sure this can't do any infection because the "overflow" code is too small to actually do anything.
Steve -- Stephen J. Friedl / Software Consultant / Tustin, California USA / »www.unixwiz.net