httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ven <venkma...@yahoo.com>
Subject Re: [users@httpd] Disturbing: speed of Probing by IIS webservers (nimda?)
Date Tue, 03 Sep 2002 16:50:42 GMT
Thanks guys, that does put the issue in new light. I can see how these things
can be so fast (buggers!). I am on a dsl line. maybe I am going to create a
file called cmd.exe - which is just a 10GB file with utter crap in it..naah.. 


--- "J. Greenlees" <jaqui@shaw.ca> wrote:
> yup, they are nimba / code red attacks, but don't get too complacent 
> with apache, there have been 7 virus attacks on *nix systems this year, 
> seems that someone is ow trying to hack past the *nix security, so these 
> will be able to get past most software security, possibly including apache.
> just a heads up, may want to start looking at av ware for *nix systems also.
> 
> John Elkins wrote:
> 
> >Even if you're not on a cable modem -- say a dialup that's permanently
> >connected, the virus can find you.  Consider this:
> >
> >The virus spreads so there are thousands of infected machines out there
> >looking to infect new machines.
> >A given ISP probably has a block of addresses.  Once a machine is infected,
> >it knows its own address and it can go searching for more vulnerable servers
> >in the same block of addresses.
> >It's very easy to write a program to scan IP addresses looking for a port
> >80.
> >
> >This happened to me on a personal web server that shouldn't be known
> >anywhere else, but my "public" web server is in the same block of addresses.
> >
> >j
> >
> >John Elkins
> >Web and Database Technologies.  Storage Systems
> >Vermont Database Corporation
> >400 Upper Hollow Hill Road
> >Stowe VT  05672-4510 USA
> >802-249-0914; 775-822-2568 (FAX); 802-253-4146 (residence)
> >john@vermontdatabase.com <mailto:john@vermontdatabase.com>
> >www.vermontdatabase.com <http://www.vermontdatabase.com>
> >
> >
> >
> >
> >>-----Original Message-----
> >>From: Ven [mailto:venkman69@yahoo.com]
> >>Sent: Tuesday, September 03, 2002 10:25 AM
> >>To: users@httpd.apache.org
> >>Subject: [users@httpd] Disturbing: speed of Probing by IIS webservers
> >>(nimda?)
> >>
> >>
> >>hi all,
> >>
> >>After last week's fight with my webserver and finally getting it
> >>good to go due
> >>to simple upgrade of my router firmware (bangs head against
> >>wall), I am finding
> >>some disturbing trends in the accesslog.
> >>
> >>Every time I start the server, I get those hits of the type of "GET ....
> >>cmd.exe" - which, after a bit of searching the web, I understood to be
> >>nimda/code red infected IIS webservers.
> >>
> >>That doesn't really bother me since everyone says apache is
> >>unaffected. What
> >>DOES bother me is how it found me: no one knows I have a
> >>webserver. Thus far it
> >>is a  personal webserver for no other use than to learn. So you
> >>couldn't just
> >>"happen" to come across the website since nothing really knows or
> >>links to it.
> >>So how is this IIS webserver or whatever it is getting to know
> >>that my http
> >>port is open? because within 2-15 minutes of starting the
> >>webserver, I get hits
> >>for a cmd.exe from one of these infected servers.
> >>How in the world did it know I was online??
> >>Is it because I already have something (virus?) that is breaching
> >>the security
> >>and letting this server know of my ip-address whereabouts?
> >>I have zonealarm on the windows side and my router will not
> >>respond to any WAN
> >>requests (pings etc don't get a response).
> >>Whatever it is that tries to get at the cmd.exe on my computer is pretty
> >>impressive if the response time is that quick on a "blind" probing.
> >>
> >>Any ideas/thoughts?
> >>
> >>Ven
> >>
> >>__________________________________________________
> >>Do You Yahoo!?
> >>Yahoo! Finance - Get real-time stock quotes
> >>http://finance.yahoo.com
> >>
> >>---------------------------------------------------------------------
> >>The official User-To-User support forum of the Apache HTTP Server Project.
> >>See <URL:http://httpd.apache.org/userslist.html> for more info.
> >>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> >>For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >
> >
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP Server Project.
> >See <URL:http://httpd.apache.org/userslist.html> for more info.
> >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> >For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> 
> 
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 


__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message