Hello. Do you have a fix or dynamic IP? If is fix, did you changed your IP recently? (If yes, it may be a redundant connection: a user who used to connect to this IP when it belonged to somebody else and he still want to connect to that person).
What is your IP? If you cannot make it public, please send it to my email. OR What you have in this page? (What it shows?) Port 43434 if sometimes used for SSH tunneling. However, I cannot see the connection with your server. In addition, the 'hacker' uses many different, ascending, ports with great gaps between them. This may appear when the 'hacker' uses a hacking tool to scan the Internet to victims. How many connections do you have from this stranger in one hour? ------ I do not really think you need a protection. Exploits appears for famous web servers, when somebody knows what the weak point is and how to penetrate through that point. Just keep your server anonymous (do not display any info about the server type and version). In the BEST CASE, a hacker can block/reset your server (flood). It is really really really difficult to penetrate a server and take over your computer/server or to delete/replace the web content. However, if you still want you can modify the demo to make a small... something, I do not know how to call it. Is like a firewall but it will trigger only if the visitor try to connect to the server more than 20 times in a minute. If somebody tries to connect even faster 10/sec, then the firewall will trigger more quickly. No decent user will try to request so many pages in a minute. Therefore, you can filter the 'enemy' out. ------- PS: the elementary school is the ideal place for a (small) hacker to hatch and grow. Small hacker = script kid PS2: the server you mentioned (124.0.90.2) run currently a SSH server. They also have a Telnet, FTP and of course HTTP. They are also running some strange services that I was unable to identify for sure but I think that server is infected with NetPort Discovery Port Masters Paradise Trojan Horse (3129 open). So it just scanned your computer purely random. Still I do not understand why it scanned you more than once. ------- At the final As an unwritten rule: the higher is the port used, the greater the chance that connection is an attack (is coming from a 'bad' software with bed indentions). --- Rich Cooper <[EMAIL PROTECTED]> wrote: > Hi All, > > I have my Indy 9 httpserver running, and I have it store a log of > which IPs access the site. There is one persistent visitor who > shouldn't even be there. Its from IP address http://124.0.90.2/ > When I point IE at that address, I get a web page with asian > characters on it that says something about Yeonseo elementary > school. > > Perhaps that site has been permeated by a virus that looks around > the web for other sites to infect. Here's the section of log that > shows what they were after: > > User logged in 124.0.90.2:43434 > User logged out > User logged in 124.0.90.2:37702 > Command GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php received from > 124.0.90.2:37702 > User logged out > User logged in 124.0.90.2:37788 > Command GET /adxmlrpc.php received from 124.0.90.2:37788 > User logged out > User logged in 124.0.90.2:37869 > Command GET /adserver/adxmlrpc.php received from 124.0.90.2:37869 > User logged out > User logged in 124.0.90.2:37950 > Command GET /phpAdsNew/adxmlrpc.php received from 124.0.90.2:37950 > User logged out > User logged in 124.0.90.2:38031 > Command GET /phpadsnew/adxmlrpc.php received from 124.0.90.2:38031 > User logged out > User logged in 124.0.90.2:38113 > Command GET /phpads/adxmlrpc.php received from 124.0.90.2:38113 > User logged out > User logged in 124.0.90.2:38190 > Command GET /Ads/adxmlrpc.php received from 124.0.90.2:38190 > User logged out > User logged in 124.0.90.2:38270 > Command GET /ads/adxmlrpc.php received from 124.0.90.2:38270 > User logged out > User logged in 124.0.90.2:38435 > Command GET /xmlrpc.php received from 124.0.90.2:38435 > User logged out > User logged in 124.0.90.2:38517 > Command GET /xmlrpc/xmlrpc.php received from 124.0.90.2:38517 > User logged out > User logged in 124.0.90.2:38600 > Command GET /xmlsrv/xmlrpc.php received from 124.0.90.2:38600 > User logged out > User logged in 124.0.90.2:38681 > Command GET /blog/xmlrpc.php received from 124.0.90.2:38681 > User logged out > User logged in 124.0.90.2:38763 > Command GET /drupal/xmlrpc.php received from 124.0.90.2:38763 > User logged out > > Does anyone have any suggestions about components/techniques that > could provide some security for the server? > > Thanks, > Rich > > __________________________________________________ > Delphi-Talk mailing list -> Delphi-Talk@elists.org > http://www.elists.org/mailman/listinfo/delphi-talk > If I choose Christianity then the Islamic will say I'm a pagan. If I choose Islamic then the Buddhism will say I'm a pagan. If I chose Buddhism then the Jewish will say I'm pagan. If I choose no God then everybody will say I'm pagan. Please, can I be free? Can you NOT tell me how I should live MY life? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __________________________________________________ Delphi-Talk mailing list -> Delphi-Talk@elists.org http://www.elists.org/mailman/listinfo/delphi-talk
