Re: "suspicious" apache log entries
Hi Andreas.
Andreas Syksa wrote:
> I've seen tons of ../script/ and ../cmd.exe's as I've got several
> machines with fixed ips.
I also received quite a lot of those requests, although our server is
not "official" by now, has no domain name (besides an "work-around"
solution using dyndns during the time we still work on the server
setup). I already told about that one or two weeks ago here on the list.
> Has anyone seen some Anti-Nimda/Code Red beside
> http://www.eye-net.com.au/csmall/myscripts/nimda.html ?
I wrote a small php-script for tarpitting Nimda and Co., but as I told
here this was not very successful. It seems meanwhile there are lots of
variants of Nimda out there who don't care about endless connections -
they quit a connection after a timeout of less than 15 seconds.
Phillip Hofmeister stated that one could use the Nimda backdoor on the
server that connects our server to setup a warning message on the
attacking computer's desktop. I think this is a great idea, but I have
not been able to track down what would be necessary to write code for
doing so. Anyone on this list interested in teaming up on writing such
an script?
Bye, Mike
Reply to: