I was checking my web logs using AWSTATS and noticed that the number of
unique visitors jumped from a normal of 20-30 to 1000+ this month.
Looking closer most of the activity started on the 18th of Aug. Checking
the logs directly the bulk of activity is just requesting the / page
without getting any of the icons on the page. An example of the hits is:

clt56-123-110.carolina.rr.com - - [24/Aug/2003:07:47:16 -0500] "GET /
HTTP/1.1" 200 2629 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
cpe-65-28-6-244.kc.rr.com - - [24/Aug/2003:07:47:25 -0500] "GET /
HTTP/1.1" 200 2629 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
wbar8.sea1-4-4-076-158.sea1.dsl-verizon.net - - [24/Aug/2003:07:50:34
-0500] "GET / HTTP/1.1" 200 2629 "-" "Mozilla/4.0 (compatible; MSIE 5.5;
Windows 98)"
81.168.14.40 - - [24/Aug/2003:07:52:32 -0500] "GET / HTTP/1.1" 200 2629
"-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
63.205.132.163 - - [24/Aug/2003:08:04:35 -0500] "GET / HTTP/1.1" 200
2629 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
ts46-04-qdr1141.mdfrd.or.charter.com - - [24/Aug/2003:08:08:04 -0500]
"GET / HTTP/1.1" 200 2629 "-" "Mozilla/4.0 (compatible; MSIE 5.5;
Windows 98)"
24-196-104-41.jvl.wi.charter.com - - [24/Aug/2003:08:09:34 -0500] "GET /
HTTP/1.
1" 200 2629 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
adsl-64-168-191-223.dsl.lsan03.pacbell.net - - [24/Aug/2003:08:12:50
-0500] "GET / HTTP/1.1" 200 2629 "-" "Mozilla/4.0 (compatible; MSIE 5.5;
Windows 98)"

So is this a worm scanning for systems to attack? Is it some script
kiddies scanning for systems to attack?

Joseph Key


_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list