[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: "suspicious" apache log entries

Hi Andreas.

Andreas Syksa wrote:
> I've seen tons of ../script/ and ../cmd.exe's  as I've got several
> machines with fixed ips.

I also received quite a lot of those requests, although our server is
not "official" by now, has no domain name (besides an "work-around"
solution using dyndns during the time we still work on the server
setup). I already told about that one or two weeks ago here on the list.

> Has anyone seen some Anti-Nimda/Code Red  beside
> http://www.eye-net.com.au/csmall/myscripts/nimda.html  ?

I wrote a small php-script for tarpitting Nimda and Co., but as I told here this was not very successful. It seems meanwhile there are lots of variants of Nimda out there who don't care about endless connections - they quit a connection after a timeout of less than 15 seconds.

Phillip Hofmeister stated that one could use the Nimda backdoor on the server that connects our server to setup a warning message on the attacking computer's desktop. I think this is a great idea, but I have not been able to track down what would be necessary to write code for doing so. Anyone on this list interested in teaming up on writing such an script?

Bye, Mike

Reply to: