Re: Re: iptables filtering rules
> Andrew Tait wrote:
>
> > The entries you are seeing are caused by the army of infected MS IIS
server
> > (Codered, Nimda, etc) try to hack into other IIS servers at random. I
see
> > these on every web server I manage that aren't behind a firewall (ie,
> > blocking port 80).
> >
>
> Yes, Andrew...the web server was not behind one. What a world _wild
> web!
>
> Just complementing the information you gave, without provoking an
> IIS (off) topic: do you believe that the source IPs of the requests
> relateds to that log entries belongs to exploiters or at least other
> infected machines (question mark - none in my keyboard).
A combination of all three most likely. Most of the time it will be an
infected IIS server. But I'm sure the script kiddies will try every now and
again.
> I've checked up one of that IPs; it's being used right now by a web
> server pretty much infected with I-Worm.Nimda.A! AVG identification.
> The standard page delivers a "readme.eml" file in a pop-up window;
> less then a minute to have an infected "readme.exe" being executed.
>
> I've heard about it, but never had seen until then.
That's the nimda virus all right. I still manage a few NT servers and
Windows clients and have to keep up with related security matters.
> From a Linux box is safe to acess http 216.72.135.102 and verify
> that the host is infecting all the Window$ based visitors machines,
> using X/wav OE vulnerability, so far I know (*Atention* Do not try
> from a Win box; it's vulnerable).
>
> By the way, what to do about it...
Make sure your not running IIS :-) If you are, patch it!
Apart from that I just ignore it, and secretly wish that some script kiddie
will wipe the hard drive of the infected machine.
Andrew Tait
System Administrator
Country NetLink Pty, Ltd
E-Mail: andrewt@cnl.com.au
WWW: http://www.cnl.com.au
30 Bank St Cobram, VIC 3644, Australia
Ph: +61 (03) 58 711 000
Fax: +61 (03) 58 711 874
"It's the smell! If there is such a thing." Agent Smith - The Matrix
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: