On Thu 10 Jul 2003, mi wrote: > > First i thought of some weird interference between running processes. > Then i read 'cmd.exe' in the apache log, and i get worried someone trying to > access my (assumed windows) box. Now i think i really have no clue. > I wonder if wwwoffle could can cache some strange javescripts ?
No, it's "just" some IIS worm running on a cracked windows system that's scanning for other IIS (Microsoft's web server) to infect. I get large amounts of these on my always connected system. It is, however, an indication that you need to implement some firewalling on your system. Even though you're only connected intermittently for short times, that's enough to be vulnerable. A pretty simple setup should be enough; block everything coming in from your ppp0 interface that's not in state "established,related". Something like this (untested): iptables -I INPUT -i ppp0 -j DROP iptables -I INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT For FTP to work either use passive mode or use the ip_masq_ftp module (which understands that ftp-data connections are "related"). Paul Slootman
