> From what i read about the 'Code Red'-worm, it was supposed
> to be scanning
> for IIS-servers. It obviously is'nt, i believe it tries to infect
> everything they find on port 80, or something as simple as that.
I suspect you're right. I've noticed exploit attempts on all web servers
here, but only one of them is running IIS. The IDS has been monitoring a
rapid increase in IIS related attacks, which are presumably related to this
worm. It started about 2-3 days ago, but the last 24 hours have been
particularly intense. It's certainly not picky about what servers it will
try and attack (though I can't see the exploits succeeding on the UNIX
Apache servers ;) ).
> About three to four days ago, i started to get those
> default.ida-GET's in
> my Apache-logs. I shut down the server as fast as i could,
> and checked for
> outgoing connections from my computer, and then did some research.
> I was told that it was an IIS-worm, and that it could'nt affect
> Apache-servers, so i was safe. I turned the server back on,
> and from that
> day i have received forty-one attempts.
I've had a lot more than 41. Every attempt is logged and archived here.
