OK: so sometimes I look at my firewall logs while I'm a work (over lunch ;-) and sometimes I plug the source IP address into a web browser and see what comes up, so I'm sitting there at work and I plug this IP address into my company-issue web browser, IE 5.0, and up pops -- guess what!
A Nimda-infected Win NT 4.0 box running IIS!
heh.. I hope the people up in IT didn't notice... but hey, at least their anti-virus stuff works.
('course, this never happens at home where I'm running Opera under Linux :-)
Feb 19 22:50:45 - snort [1:0:0] Potential CodeRed/Nimda probe Source IP: 12.22.2.4 Source port: 4648 Source host: 12.22.2.4 Target IP: 12.82.132.202 Target port: 80 Proto: TCP Target host: 202.seattle-11-12rs.wa.dial-access.att.net Feb 19 22:50:45 - snort [1:0:0] Potential CodeRed/Nimda probe Source IP: 12.22.2.4 Source port: 4648 Source host: 12.22.2.4 Target IP: 12.82.132.202 Target port: 80 Proto: TCP Target host: 202.seattle-11-12rs.wa.dial-access.att.net Feb 19 22:50:48 - snort [1:0:0] Potential CodeRed/Nimda probe Source IP: 12.22.2.4 Source port: 4648 Source host: 12.22.2.4 Target IP: 12.82.132.202 Target port: 80 Proto: TCP Target host: 202.seattle-11-12rs.wa.dial-access.att.net Feb 19 22:50:48 - snort [1:0:0] Potential CodeRed/Nimda probe Source IP: 12.22.2.4 Source port: 4648 Source host: 12.22.2.4 Target IP: 12.82.132.202 Target port: 80 Proto: TCP Target host: 202.seattle-11-12rs.wa.dial-access.att.net