Jay Dyson of Treachery.net monitored CodeRed II attempts to his server. Among them he found the following and shared it with Attrition staff: Apache log: 126.96.36.199 - - [14/Aug/2001:18:09:40 -0700] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 200 658 "-" "-" Early Bird log: Aug-15-2001 01:09:38 [UTC] : CR2 : 188.8.131.52 : Notify to 'nas-corp.com' Hokay, so the automatic email is fired off. Then I figure a look around the site is in order (mostly out of morbid curiosity). And lo, what is found? http://www.nas-corp.com/solutions/security.shtml From the page: "NAS has excelled at providing comprehensive network security solutions addressing both internal and external requirements. These solutions are both flexible enough and robust enough to be adapted to changing network topologies and security policies. "With NAS, your firewalls are monitored 24 hours a day, 7 days a week, 365 days a year. NAS security engineers perpetually assess alarms and review security logs, looking for patterns and variances such as network probes, increases in activity levels or increases in denied connections."