possible early worm vector?

[Greg Broiles <gbroiles () well com>]

I was looking through my logs and found some hits yesterday morning that 
are reminiscent of today's worm -

66.31.95.41 - - [17/Sep/2001:08:13:42 -0700] "GET /msadc/root.exe?/c+dir 
HTTP/1.0" 404 276 "-" "-"
66.31.95.41 - - [17/Sep/2001:08:13:42 -0700] "GET /scripts/root.exe?/c+dir 
HTTP/1.0" 404 278 "-" "-"

on my server at 64.81.65.40, and

66.31.95.41 - - [17/Sep/2001:08:13:43 -0700] "GET /msadc/root.exe?/c+dir 
HTTP/1.0" 404 284 "-" "-"
66.31.95.41 - - [17/Sep/2001:08:13:43 -0700] "GET /scripts/root.exe?/c+dir 
HTTP/1.0" 404 286 "-" "-"

on my server at 64.81.65.41; the machine located at 66.31.95.41 serves up a 
page with a rant about morality and religion purporting to be from Fluffi 
Bunni (or Philo Bunny), along with electronic copies of books about vi, 
sed, TCP/IP, and C. The <title> of the page is "sh0dan.org", and it appears 
to be a copy of the pages which are available at <http://sh0dan.org>. 
(that's a zero, not an "oh", in "sh0dan".)

I wonder if 66.31.95.41 was an early infection vector - has that machine 
shown up in others' logs?


--
Greg Broiles
gbroiles () well com
"We have found and closed the thing you watch us with." -- New Delhi street kids


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com