Re: Frequent Strange Requests

To: Auke Rensen <auke@rensen.dyndns.org>
Cc: debian-isp@lists.debian.org
Subject: Re: Frequent Strange Requests
From: "Jeremy C. Reed" <reed@wcug.wwu.edu>
Date: Wed, 12 Sep 2001 12:21:11 -0700 (PDT)
Message-id: <[🔎] Pine.BSO.4.21.0109121216460.16051-100000@sloth.wcug.wwu.edu>
In-reply-to: <[🔎] NFBBKHFPBBBOOHHCMIECEEDICAAA.auke@rensen.dyndns.org>

On Wed, 12 Sep 2001, Auke Rensen wrote:

> While scanning my Apache Access logs I recently discovered that my webserver
> gets some strange requests. While just guessing I can say I get these
> requests about 10 to 25 times a day.

> 212.1.145.112 - - [12/Sep/2001:15:37:33 +0200] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

As others have mentioned, this is probably the Code Red worm or
derivative.

Is the remote client IP always (or frequently the same)?

Then you may want to consider firewalling that IP on that port (80). (But
probably not needed since you only receive a few a day.)

You can also consider reporting the problem to the admin of that remote
host so they can fix their machine.

Is that IP one of your own (Windows-based) systems? If so, then this clue
can lead you to it so you can fix it.

Do some searches for "code red"; you'll find a variety of ideas and
scripts to help with this problem.

Another reason to run open source operating systems and open source
software :)

  Jeremy C. Reed
  http://www.reedmedia.net/
  http://bsd.reedmedia.net/  -- BSD news and resources
  http://www.isp-faq.com/    -- find answers to your questions

Reply to:

References:
- Frequent Strange Requests
  - From: "Auke Rensen" <auke@rensen.dyndns.org>

Prev by Date: Re: Ethernet Card recommendation
Next by Date: Timeout of DNS
Previous by thread: RE: Frequent Strange Requests
Next by thread: Re: Frequent Strange Requests
Index(es):
- Date
- Thread