httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J. Greenlees" <ja...@shaw.ca>
Subject Re: [users@httpd] Disturbing: speed of Probing by IIS webservers (nimda?)
Date Tue, 03 Sep 2002 14:52:08 GMT
yup, they are nimba / code red attacks, but don't get too complacent 
with apache, there have been 7 virus attacks on *nix systems this year, 
seems that someone is ow trying to hack past the *nix security, so these 
will be able to get past most software security, possibly including apache.
just a heads up, may want to start looking at av ware for *nix systems also.

John Elkins wrote:

>Even if you're not on a cable modem -- say a dialup that's permanently
>connected, the virus can find you.  Consider this:
>
>The virus spreads so there are thousands of infected machines out there
>looking to infect new machines.
>A given ISP probably has a block of addresses.  Once a machine is infected,
>it knows its own address and it can go searching for more vulnerable servers
>in the same block of addresses.
>It's very easy to write a program to scan IP addresses looking for a port
>80.
>
>This happened to me on a personal web server that shouldn't be known
>anywhere else, but my "public" web server is in the same block of addresses.
>
>j
>
>John Elkins
>Web and Database Technologies.  Storage Systems
>Vermont Database Corporation
>400 Upper Hollow Hill Road
>Stowe VT  05672-4510 USA
>802-249-0914; 775-822-2568 (FAX); 802-253-4146 (residence)
>john@vermontdatabase.com <mailto:john@vermontdatabase.com>
>www.vermontdatabase.com <http://www.vermontdatabase.com>
>
>
>
>
>>-----Original Message-----
>>From: Ven [mailto:venkman69@yahoo.com]
>>Sent: Tuesday, September 03, 2002 10:25 AM
>>To: users@httpd.apache.org
>>Subject: [users@httpd] Disturbing: speed of Probing by IIS webservers
>>(nimda?)
>>
>>
>>hi all,
>>
>>After last week's fight with my webserver and finally getting it
>>good to go due
>>to simple upgrade of my router firmware (bangs head against
>>wall), I am finding
>>some disturbing trends in the accesslog.
>>
>>Every time I start the server, I get those hits of the type of "GET ....
>>cmd.exe" - which, after a bit of searching the web, I understood to be
>>nimda/code red infected IIS webservers.
>>
>>That doesn't really bother me since everyone says apache is
>>unaffected. What
>>DOES bother me is how it found me: no one knows I have a
>>webserver. Thus far it
>>is a  personal webserver for no other use than to learn. So you
>>couldn't just
>>"happen" to come across the website since nothing really knows or
>>links to it.
>>So how is this IIS webserver or whatever it is getting to know
>>that my http
>>port is open? because within 2-15 minutes of starting the
>>webserver, I get hits
>>for a cmd.exe from one of these infected servers.
>>How in the world did it know I was online??
>>Is it because I already have something (virus?) that is breaching
>>the security
>>and letting this server know of my ip-address whereabouts?
>>I have zonealarm on the windows side and my router will not
>>respond to any WAN
>>requests (pings etc don't get a response).
>>Whatever it is that tries to get at the cmd.exe on my computer is pretty
>>impressive if the response time is that quick on a "blind" probing.
>>
>>Any ideas/thoughts?
>>
>>Ven
>>
>>__________________________________________________
>>Do You Yahoo!?
>>Yahoo! Finance - Get real-time stock quotes
>>http://finance.yahoo.com
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message