Michael Olds wrote: > This is a small sample from my access log. Can someone explain to me why > this person It's not a person. > would repeatedly attempt access to my computer using the same IP > and the same requests over and over? This isn't to the point of being a DOS > attack; can't they see I don't have any of these things that they think will > enable them to crack my machine? Or is there something else going on here? > > > 63.205.213.16 - - [11/Dec/2002:13:16:07 -0800] "GET /scripts/root.exe?/c+dir > HTTP/1.0" 404 270 "-" "-" > 63.205.213.16 - - [11/Dec/2002:13:16:07 -0800] "GET /MSADC/root.exe?/c+dir > HTTP/1.0" 404 268 "-" "-" > 63.205.213.16 - - [11/Dec/2002:13:16:07 -0800] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 278 "-" "-" [etc.] I have to admit I'm amazed that anyone running a mailserver wouldn't know what that was. Have you just set up one for the first time? Anyway, this is the Windows Nimda virus trying to break into a vulnerable installation of the Microsoft IIS server, not realizing that you're not what it's looking for. Nimda has been doing this for at least a year now, I think, and it got quite a lot of press when it first came out. Unsurprisingly, 63.205.213.16 appears to belong to a local cable company that offers digital TV and cable modem services. So the machine in question is probably just a Windows 2000 machine belonging to one of their customers, who, typical of the average Windows users, has no idea that he is running a web server on his computer, no idea that his computer is infected with a virus, and no idea what the phrase "security update" means. Although, interestingly, telnetting to 63.205.213.16 on the www and smtp ports gets "connection refused". So either the user has belatedly got a clue, or they've simply gone offline and someone else now has their DHCP address. Craig
Attachment:
pgpjbTbQ6eN1S.pgp
Description: PGP signature