Re: Re: iptables filtering rules

To: "Luiz Carlos Santos de Alencar" <luiz@infoporto.com.br>, "debian-security" <debian-security@lists.debian.org>
Subject: Re: Re: iptables filtering rules
From: "Andrew Tait" <debian@cnl.com.au>
Date: Wed, 27 Mar 2002 10:04:28 +1100
Message-id: <[🔎] 006801c1d51a$958ee340$034e15cb@cnl.com.au>
References: <[🔎] 20020325214645.83A2A57B1@brahma.telant.tvnet.hu> <[🔎] 3CC8B274.7040904@infoporto.com.br> <[🔎] 002201c1d46c$24a8c000$0d2465d1@cnl.com.au> <[🔎] 3C9EE779.4010901@infoporto.com.br>

> Andrew Tait wrote:
>
> > The entries you are seeing are caused by the army of infected MS IIS
server
> > (Codered, Nimda, etc) try to hack into other IIS servers at random. I
see
> > these on every web server I manage that aren't behind a firewall (ie,
> > blocking port 80).
> >
>
> Yes, Andrew...the web server was not behind one. What a world _wild
> web!
>
> Just complementing the information you gave, without  provoking  an
> IIS (off) topic: do you believe that the source IPs of the requests
> relateds to that log entries belongs to exploiters or at least other
> infected machines (question mark - none in my keyboard).

A combination of all three most likely. Most of the time it will be an
infected IIS server. But I'm sure the script kiddies will try every now and
again.

> I've checked up one of that IPs; it's being used right now by a web
> server pretty much infected with I-Worm.Nimda.A! AVG identification.
> The standard page delivers a "readme.eml" file in a pop-up  window;
> less then a minute to have an infected "readme.exe" being executed.
>
> I've heard about it, but never had seen until then.

That's the nimda virus all right. I still manage a few NT servers and
Windows clients and have to keep up with related security matters.

>  From a Linux box is safe to acess http  216.72.135.102  and  verify
> that the host is infecting all the Window$ based visitors machines,
> using X/wav OE vulnerability, so far I know (*Atention* Do not try
> from a Win box; it's vulnerable).
>
> By the way, what to do about it...

Make sure your not running IIS :-) If you are, patch it!

Apart from that I just ignore it, and secretly wish that some script kiddie
will wipe the hard drive of the infected machine.

Andrew Tait
System Administrator
Country NetLink Pty, Ltd
E-Mail: andrewt@cnl.com.au
WWW: http://www.cnl.com.au
30 Bank St Cobram, VIC 3644, Australia
Ph: +61 (03) 58 711 000
Fax: +61 (03) 58 711 874

"It's the smell! If there is such a thing." Agent Smith - The Matrix




-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- What is a suable attack by the way ;)
  - From: <xskoba1@kremilek.gyrec.cz>

References:
- iptables filtering rules
  - From: Andras GALAMBOSI <gaan@telant.tvnet.hu>
- Re: iptables filtering rules
  - From: Luiz Carlos Santos de Alencar <luiz@infoporto.com.br>
- Re: iptables filtering rules
  - From: "Andrew Tait" <debian@cnl.com.au>
- Re: Re: iptables filtering rules
  - From: Luiz Carlos Santos de Alencar <luiz@infoporto.com.br>

Prev by Date: Bastian Gläßer/PD/Kreditwerk ist außer Haus.
Next by Date: Bastian Gläßer/PD/Kreditwerk ist außer Haus.
Previous by thread: Re: Re: iptables filtering rules
Next by thread: What is a suable attack by the way ;)
Index(es):
- Date
- Thread