** Reply to message from Daniel Ouellet <[EMAIL PROTECTED]> on Wed,
23 Aug 2006 22:05:53 -0400
>In my database right now I am up to 5241 IP's starting at 2PM today only.
>
>I sure can publish it as it's fair game.
>
>But what's interesting to me is the signature.
>
>If I follow this idea, then every single compromise computers in my list
>have to be Windows, all with the same service pack, browser, etc.
>Obviously if all the same then all have the same bug and can be
>compromise the same way. But still.
You seem to be assuming that whatever malware is involved is using the
software installed on the hijacked computer. More likely, it is
opening a connection to your web server itself and sending whatever
request and supplementary information it wants (which is the same in
all cases, since it's the same malware).
Dave
--
Dave Anderson
<[EMAIL PROTECTED]>
