httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Elkins" <j...@vermontdatabase.com>
Subject RE: [users@httpd] Disturbing: speed of Probing by IIS webservers (nimda?)
Date Tue, 03 Sep 2002 14:48:29 GMT
Even if you're not on a cable modem -- say a dialup that's permanently
connected, the virus can find you.  Consider this:

The virus spreads so there are thousands of infected machines out there
looking to infect new machines.
A given ISP probably has a block of addresses.  Once a machine is infected,
it knows its own address and it can go searching for more vulnerable servers
in the same block of addresses.
It's very easy to write a program to scan IP addresses looking for a port
80.

This happened to me on a personal web server that shouldn't be known
anywhere else, but my "public" web server is in the same block of addresses.

j

John Elkins
Web and Database Technologies.  Storage Systems
Vermont Database Corporation
400 Upper Hollow Hill Road
Stowe VT  05672-4510 USA
802-249-0914; 775-822-2568 (FAX); 802-253-4146 (residence)
john@vermontdatabase.com <mailto:john@vermontdatabase.com>
www.vermontdatabase.com <http://www.vermontdatabase.com>




> -----Original Message-----
> From: Ven [mailto:venkman69@yahoo.com]
> Sent: Tuesday, September 03, 2002 10:25 AM
> To: users@httpd.apache.org
> Subject: [users@httpd] Disturbing: speed of Probing by IIS webservers
> (nimda?)
>
>
> hi all,
>
> After last week's fight with my webserver and finally getting it
> good to go due
> to simple upgrade of my router firmware (bangs head against
> wall), I am finding
> some disturbing trends in the accesslog.
>
> Every time I start the server, I get those hits of the type of "GET ....
> cmd.exe" - which, after a bit of searching the web, I understood to be
> nimda/code red infected IIS webservers.
>
> That doesn't really bother me since everyone says apache is
> unaffected. What
> DOES bother me is how it found me: no one knows I have a
> webserver. Thus far it
> is a  personal webserver for no other use than to learn. So you
> couldn't just
> "happen" to come across the website since nothing really knows or
> links to it.
> So how is this IIS webserver or whatever it is getting to know
> that my http
> port is open? because within 2-15 minutes of starting the
> webserver, I get hits
> for a cmd.exe from one of these infected servers.
> How in the world did it know I was online??
> Is it because I already have something (virus?) that is breaching
> the security
> and letting this server know of my ip-address whereabouts?
> I have zonealarm on the windows side and my router will not
> respond to any WAN
> requests (pings etc don't get a response).
> Whatever it is that tries to get at the cmd.exe on my computer is pretty
> impressive if the response time is that quick on a "blind" probing.
>
> Any ideas/thoughts?
>
> Ven
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Finance - Get real-time stock quotes
> http://finance.yahoo.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message