Re: Re: iptables filtering rules
Andrew Tait wrote:
The entries you are seeing are caused by the army of infected MS IIS server
(Codered, Nimda, etc) try to hack into other IIS servers at random. I see
these on every web server I manage that aren't behind a firewall (ie,
blocking port 80).
Yes, Andrew...the web server was not behind one. What a world _wild
web!
Just complementing the information you gave, without provoking an
IIS (off) topic: do you believe that the source IPs of the requests
relateds to that log entries belongs to exploiters or at least other
infected machines (question mark - none in my keyboard).
I've checked up one of that IPs; it's being used right now by a web
server pretty much infected with I-Worm.Nimda.A! AVG identification.
The standard page delivers a "readme.eml" file in a pop-up window;
less then a minute to have an infected "readme.exe" being executed.
I've heard about it, but never had seen until then.
From a Linux box is safe to acess http 216.72.135.102 and verify
that the host is infecting all the Window$ based visitors machines,
using X/wav OE vulnerability, so far I know (*Atention* Do not try
from a Win box; it's vulnerable).
By the way, what to do about it...
--- Luiz
ps: my previous post has a wrong month sent date (Abril); remove it
from the top of your message list and forgive me - I was in fact
convinced that was April while finishing configuration for a new
Debian box... sole problem I faced,obviously mine.
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: