| 5:27 pm on Aug 27, 2001 (gmt 0)|
welcome to WmW NickR,
I am not 100% on this, but a few weeks ago we were seeing the same amount of hits in our logs from Code Red
| 5:41 pm on Aug 27, 2001 (gmt 0)|
Thanks for your reply and welcome,
Yes, we got the Code Red trash as well. Still am, in fact but it doesn't affect us. I deployed a zero length default.ida because I got tired of seeing it in 404 reports.
However, I realized I should give more info about my architecture. I'm running Solaris 8 and Iplanet 4.1sp7 on these servers, and have been doing so for some time.
Also interesting, I'm seeing roughly the same traffic on ww1.sportsline.com and www.sportsline.com. ww1 is a server farm offive servers and www is a farm of dozens. But they're seeing the same total amount of traffic on these urls (about one every 1.6 seconds).
The duid= often has what looks like a generated password or identifier - always the same for the same IP.
| 4:14 pm on Aug 28, 2001 (gmt 0)|
Interesting. I'd follow trouble shooting methods.
a) no referrer? That's very suspect.
It either means it is coming from a post'ed doc or there is something wrong in the logging system. Some browsers would have to leak a referral from time to time.
b) possibly coming from https server? There should be some referral leaking even from there.
c) sure the server is ok? That's where I'd start.
Hundred thousand hits? Someone is ip spoofing you in some sort of dos attack.
| 9:45 am on Sep 9, 2001 (gmt 0)|
Similar problem in my server logs.
This server is is rarely up. Experimental, Apache on Win98. Started out coming from domains from around the world, then started consistantly coming from what appeared to be other customers of my isp. Usually hits me within an hour or so of starting Apache. No unauthorized servers detected. Always HTTP/1.0. Never a referer. Continued after an Fdisk, though the Apache binary stayed the same. The x's seems to be an attempt at a buffer overflow. Curious. Anyone with any info, thanks.
Found it don't bother answering. Strange behavior!
(edited by: Marcia at 10:31 am (gmt) on Sep. 9, 2001)
| 10:32 am on Sep 9, 2001 (gmt 0)|
my_wan, that's the code red worm. Here's one thread about it, you'll find much more using the site search at page-top on the left.
| 12:33 am on Sep 10, 2001 (gmt 0)|
Yes, I jumped the gun on that post before looking much. I didn't pay much attention to the code red worm running apache. It's funny it didn't start hitting my logs until it's second cycle.