Re: "suspicious" apache log entries
Andreas Syksa wrote:
> I've seen tons of ../script/ and ../cmd.exe's as I've got several
> machines with fixed ips.
I also received quite a lot of those requests, although our server is
not "official" by now, has no domain name (besides an "work-around"
solution using dyndns during the time we still work on the server
setup). I already told about that one or two weeks ago here on the list.
> Has anyone seen some Anti-Nimda/Code Red beside
> http://www.eye-net.com.au/csmall/myscripts/nimda.html ?
I wrote a small php-script for tarpitting Nimda and Co., but as I told
here this was not very successful. It seems meanwhile there are lots of
variants of Nimda out there who don't care about endless connections -
they quit a connection after a timeout of less than 15 seconds.
Phillip Hofmeister stated that one could use the Nimda backdoor on the
server that connects our server to setup a warning message on the
attacking computer's desktop. I think this is a great idea, but I have
not been able to track down what would be necessary to write code for
doing so. Anyone on this list interested in teaming up on writing such