Educause Security Discussion mailing list archives
Rash of seemingly "old" virii
From: Peter Charbonneau <Peter.Charbonneau () WILLIAMS EDU>
Date: Mon, 7 Mar 2005 15:08:52 -0500
I am seeing some of our student computers (to the tune of 10-12 machines) hitting various web servers, both inside and outside our campus, requesting: 137.165.xxx.yyy - - [07/Mar/2005:09:24:06 -0500] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 - "-" "-" 137.165.xxx.yyy - - [07/Mar/2005:09:24:06 -0500] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 - "-" "-" 137.165.xxx.yyy - - [07/Mar/2005:09:24:06 -0500] "SEARCH / \x90\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x04H\x0 4H\x04H\x04H\x04H\x04H\x04H\x04H\x04H .... [thousands of characters removed for sanity sake] In searching the web, I find that this SEEMS to be the FrontPage extension attack from 2-3 years ago. I "got a hold" of a couple of student machines that were the xxx.yyy addresses. So far, BOTH of these machines have AV protection running AND have updated def files. I have run various Spyware scans using all 17,000 of our favorite Spyware tools - nothing has come up (well, gator, but that is kinda expected) that clues me into what is going on. I am wondering whether any of you have seen anything like this, or potentially have an explanation. I am just about at my wits end trying to counter/explain it. *** Please note that I am posting this to BOTH the ResNet list and the Educause Security list *** PeteC Peter Charbonneau Sr. Network and Systems Administrator Williams College (413) 597-3408 (desk) (413) 822-2922 (cell) ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Rash of seemingly "old" virii Peter Charbonneau (Mar 07)
- <Possible follow-ups>
- Re: Rash of seemingly "old" virii Gary Flynn (Mar 07)
- Re: Rash of seemingly "old" virii Mark Wilson (Mar 08)