its welchia/nachi. when it can't connect via 135/tcp, it will attempt an exploit against a webdav server (see MS03-007). i've seen an uptick in this in the past couple of days, too, visible on a few httpd servers i track. and i, too, was caught off guard until someone pointed out it was nachi to me. digging into the tech details showed that i (and many of us) had been overlooking a secondary attack. ___________________________ jose nazario, ph.d. jose@monkey.org http://monkey.org/~jose/
