Well I have only about 20 requests so far but they come from all over the place 
some from europe some from asia some from very well known us sites(bellsouth, 
ohio university, juno). By the way....very nice article.

Jason
>andy at theasis.com wrote:
>> 
>> > > Just a worm looking for copies of IIS and hoping to exploit a buffer
>> > > overflow.  The requests start off with "GET /default.ida?NNNN..." and
>> > > are too large to be anything but a buffer overflow attempt.
>> > >
>> > > The only article I've been able to find about the worm is at
>> > > http://www.newsbytes.com/news/01/168003.html?&_ref=923747745
>> >
>> > http://www.securityfocus.com/templates/headline.html?id=12004
>> 
>> http://www.msnbc.com/news/602036.asp?cp1=1
>
>And of course last but not least a real in depth technical explination
>of what codered is, what it does, and how it spreads instead of
>newsflash fluff. ;P
>
>http://www.eeye.com/html/Research/Advisories/AL20010717.html
>
>Cute. Whoever wrote it knew their win32. The stuff in the GET line is
>just a boostrap, the real worm code is in the rest of the HTTP request,
>and thus not logged. I've written me a CGI to grab the complete virus
>next time I get hit. Heh.
>
>I've gotten 21 attempts so far.
>_______________________________________________
>tclug-list mailing list
>tclug-list at mn-linux.org
>https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>