I was checking my web logs using AWSTATS and noticed that the number of unique visitors jumped from a normal of 20-30 to 1000+ this month. Looking closer most of the activity started on the 18th of Aug. Checking the logs directly the bulk of activity is just requesting the / page without getting any of the icons on the page. An example of the hits is: clt56-123-110.carolina.rr.com - - [24/Aug/2003:07:47:16 -0500] "GET / HTTP/1.1" 200 2629 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" cpe-65-28-6-244.kc.rr.com - - [24/Aug/2003:07:47:25 -0500] "GET / HTTP/1.1" 200 2629 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" wbar8.sea1-4-4-076-158.sea1.dsl-verizon.net - - [24/Aug/2003:07:50:34 -0500] "GET / HTTP/1.1" 200 2629 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" 81.168.14.40 - - [24/Aug/2003:07:52:32 -0500] "GET / HTTP/1.1" 200 2629 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" 63.205.132.163 - - [24/Aug/2003:08:04:35 -0500] "GET / HTTP/1.1" 200 2629 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" ts46-04-qdr1141.mdfrd.or.charter.com - - [24/Aug/2003:08:08:04 -0500] "GET / HTTP/1.1" 200 2629 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" 24-196-104-41.jvl.wi.charter.com - - [24/Aug/2003:08:09:34 -0500] "GET / HTTP/1. 1" 200 2629 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" adsl-64-168-191-223.dsl.lsan03.pacbell.net - - [24/Aug/2003:08:12:50 -0500] "GET / HTTP/1.1" 200 2629 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)" So is this a worm scanning for systems to attack? Is it some script kiddies scanning for systems to attack? Joseph Key _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list