Re: [tlug] Strange httpd and TCP/135 logs...

[Michael Doughty <tlug@example.com>]

On Thu, Aug 28, 2003 at 09:33:57PM +0900, Bruno Raoult wrote:
> Since Aug 18th, my apache logs show a huge number of requests, coming from different IPs,
> and always asking the home page (but not the images inside).

<SNIP!> 

> Do you have an idea of what it could be?
 
I would assume that this is the welchia worm trying to find out if it
can exploit you or not.  From what you said in your post, it seems
that you think the same, but dismissed it because:

> At the same moment, my router filter logs show a huge number of 
> requests on all my IP addresses on both ports 80 & 135. But I 
> cannot find any link between the source addresses (some addresses 
> scan port 80, and others port 135).

I haven't looked at the source, but IIRC the worm is set to choose 
an IP address range randomly.  I wouldn't be surprised if the two 
scans (RPC&HTTP) are done on different ranges.

Not sure about the different sized returns from the home page.  How large
is the home page?  Larger or smaller than the amount being transferred?

Michael