virus patterns

David P. Schwartz plug-discuss@lists.PLUG.phoenix.az.us
Wed, 19 Sep 2001 02:30:11 -0700


My server's error log is stuffed full of error requests from IPs in the
block 63.229.*.*.  They started arriving about 15:40 MST yesterday, Tues
9/18.  A grep on this pattern ('63.229.') shows that I've got over 5400 of
them now, and they're still coming.

Would it be worthwhile to just block this IP?

Maybe we should stuff something silly in there so that when Apache is
queried for cmd.exe, we give 'em something -- does anybody have a good
photo of a very HAIRY ass we could send back as a lo-res GIF?  In a pinch,
a photo of Bill Gates shaking hands with bin Laden would do...

-David