Re: Apache attack

Mon, 06 Aug 2001 01:24:56 -0700 

On 2001.08.06 00:10 Alejandro Gonz�lez Hern�ndez - Imoq wrote:
> Hi!
> 
> I seem to be getting a kind of web exploit in my server. I have noticed 
> this in error_log since two days ago (I'll past just a little bit of the 
> file, of course):
> 
> [Mon Aug  6 02:24:36 2001] [error] [client 80.62.247.43] File does not 
> exist: /home/pages/mgdhost/default.ida
....
> Also, I noticed something like:
> 
> [Sun Aug  5 16:50:05 2001] [error] [client 61.168.52.212] Invalid URI in 
> request 
> 
>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> 
> HTTP/1.0
> 
>  From one of the attackers IP, as well.
> 
> I believe that it is an IIS-oriented attack, thus, it won't happen 
> anything to my server, because I am running apache, but I would like to 
> know your opinions about this, and what could I do.
> 
> Of course, I can't block port 80 (I have webpages), and I think that 
> going to my firewall and deny every single IP that is attacking me could 
> be a bad idea, since there are a lot of different ips (hacked systems, I 
> guess).
> 
> What do you recommend me to do? Just ignore it, and go on with my life?
> :).
> 
> Thanks for your comments.

Alex, how have you escaped hearing of the CodeRed Worm? This was an issue
last month. It is an issue this month. (I am up to an attack a minute on
my DSL node.)

It is an attack that compromises IIS servers. So you are safe from it. If
you have any friends with MS OSs attached to the net get them to visit
microsoft.com and update their <censored> systems.

The specific version of the CodeRed worm you quoted above installs a back
door into a user's system. (I have explored it, slightly, on a couple
different systems. I wish I could use it to throw up a window on their
machines that they have been hacked and need to clean it out AND install
a firewall that blocks port 80 AND install the MS update that fixes IIS.

It is hard to believe someone could be alive today and not have run across
mention of it on the news media or net....

{^_^}



_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list

Reply via email to