httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacob Coby" <jc...@listingbook.com>
Subject Re: [users@httpd] Disturbing: speed of Probing by IIS webservers (nimda?)
Date Tue, 03 Sep 2002 17:03:13 GMT
ln -s /dev/random cmd.exe

also known as "how to totally fill your upload bandwith"

Maybe, if you're lucky, it will cause a buffer overrun and crash the
offending server. ;)

----- Original Message -----
From: "Ven" <venkman69@yahoo.com>
To: <users@httpd.apache.org>
Sent: Tuesday, September 03, 2002 12:50 PM
Subject: Re: [users@httpd] Disturbing: speed of Probing by IIS webservers
(nimda?)


> Thanks guys, that does put the issue in new light. I can see how these
things
> can be so fast (buggers!). I am on a dsl line. maybe I am going to create
a
> file called cmd.exe - which is just a 10GB file with utter crap in
it..naah..
>
>
> --- "J. Greenlees" <jaqui@shaw.ca> wrote:
> > yup, they are nimba / code red attacks, but don't get too complacent
> > with apache, there have been 7 virus attacks on *nix systems this year,
> > seems that someone is ow trying to hack past the *nix security, so these
> > will be able to get past most software security, possibly including
apache.
> > just a heads up, may want to start looking at av ware for *nix systems
also.
> >
> > John Elkins wrote:
> >
> > >Even if you're not on a cable modem -- say a dialup that's permanently
> > >connected, the virus can find you.  Consider this:
> > >
> > >The virus spreads so there are thousands of infected machines out there
> > >looking to infect new machines.
> > >A given ISP probably has a block of addresses.  Once a machine is
infected,
> > >it knows its own address and it can go searching for more vulnerable
servers
> > >in the same block of addresses.
> > >It's very easy to write a program to scan IP addresses looking for a
port
> > >80.
> > >
> > >This happened to me on a personal web server that shouldn't be known
> > >anywhere else, but my "public" web server is in the same block of
addresses.
> > >
> > >j
> > >
> > >John Elkins
> > >Web and Database Technologies.  Storage Systems
> > >Vermont Database Corporation
> > >400 Upper Hollow Hill Road
> > >Stowe VT  05672-4510 USA
> > >802-249-0914; 775-822-2568 (FAX); 802-253-4146 (residence)
> > >john@vermontdatabase.com <mailto:john@vermontdatabase.com>
> > >www.vermontdatabase.com <http://www.vermontdatabase.com>
> > >
> > >
> > >
> > >
> > >>-----Original Message-----
> > >>From: Ven [mailto:venkman69@yahoo.com]
> > >>Sent: Tuesday, September 03, 2002 10:25 AM
> > >>To: users@httpd.apache.org
> > >>Subject: [users@httpd] Disturbing: speed of Probing by IIS webservers
> > >>(nimda?)
> > >>
> > >>
> > >>hi all,
> > >>
> > >>After last week's fight with my webserver and finally getting it
> > >>good to go due
> > >>to simple upgrade of my router firmware (bangs head against
> > >>wall), I am finding
> > >>some disturbing trends in the accesslog.
> > >>
> > >>Every time I start the server, I get those hits of the type of "GET
....
> > >>cmd.exe" - which, after a bit of searching the web, I understood to be
> > >>nimda/code red infected IIS webservers.
> > >>
> > >>That doesn't really bother me since everyone says apache is
> > >>unaffected. What
> > >>DOES bother me is how it found me: no one knows I have a
> > >>webserver. Thus far it
> > >>is a  personal webserver for no other use than to learn. So you
> > >>couldn't just
> > >>"happen" to come across the website since nothing really knows or
> > >>links to it.
> > >>So how is this IIS webserver or whatever it is getting to know
> > >>that my http
> > >>port is open? because within 2-15 minutes of starting the
> > >>webserver, I get hits
> > >>for a cmd.exe from one of these infected servers.
> > >>How in the world did it know I was online??
> > >>Is it because I already have something (virus?) that is breaching
> > >>the security
> > >>and letting this server know of my ip-address whereabouts?
> > >>I have zonealarm on the windows side and my router will not
> > >>respond to any WAN
> > >>requests (pings etc don't get a response).
> > >>Whatever it is that tries to get at the cmd.exe on my computer is
pretty
> > >>impressive if the response time is that quick on a "blind" probing.
> > >>
> > >>Any ideas/thoughts?
> > >>
> > >>Ven
> > >>
> > >>__________________________________________________
> > >>Do You Yahoo!?
> > >>Yahoo! Finance - Get real-time stock quotes
> > >>http://finance.yahoo.com
> > >>
> > >>---------------------------------------------------------------------
> > >>The official User-To-User support forum of the Apache HTTP Server
Project.
> > >>See <URL:http://httpd.apache.org/userslist.html> for more info.
> > >>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > >>For additional commands, e-mail: users-help@httpd.apache.org
> > >>
> > >
> > >
> > >---------------------------------------------------------------------
> > >The official User-To-User support forum of the Apache HTTP Server
Project.
> > >See <URL:http://httpd.apache.org/userslist.html> for more info.
> > >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > >For additional commands, e-mail: users-help@httpd.apache.org
> > >
> > >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Finance - Get real-time stock quotes
> http://finance.yahoo.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message