I'm getting quite a few requests like this:
00:38:13 202.109.105.67 GET /default.ida 401
02:20:36 24.130.170.100 GET /default.ida 401
02:50:41 194.7.47.130 GET /default.ida 401
04:00:45 65.2.171.167 GET /default.ida 401
04:55:53 211.172.176.231 GET /default.ida 401
05:49:07 12.98.100.6 GET /default.ida 401
06:33:12 63.17.76.22 GET /default.ida 401
06:35:31 216.85.123.121 GET /default.ida 401
07:00:16 200.176.48.234 GET /default.ida 401
07:52:00 163.180.18.14 GET /default.ida 401
08:21:23 210.181.179.242 GET /default.ida 401
08:47:19 210.255.176.132 GET /default.ida 401
08:57:43 216.104.158.213 GET /default.ida 401
09:00:22 210.122.124.118 GET /default.ida 401
10:32:16 139.130.84.98 GET /default.ida 401
11:31:56 24.128.34.95 GET /default.ida 401
12:10:29 209.239.84.85 GET /default.ida 401
12:14:58 61.145.108.35 GET /default.ida 401
12:27:16 203.248.108.241 GET /default.ida 401
13:37:05 211.99.96.131 GET /default.ida 500
13:46:58 202.107.224.234 GET /default.ida 401
14:01:32 63.222.244.124 GET /default.ida 401
14:12:54 155.229.77.166 GET /default.ida 401
15:22:40 210.106.239.202 GET /default.ida 401
Interestingly though, my server is password protected. Does IIS log the
request even if the page doesn't exist, and even if it did, couldn't be
access due to the password protection anyway?
I've applied the Code Red patch already. I guess I'm safe!
---mark
=========================================
Mark Warrick - Fusioneers.com
Personal Email: [EMAIL PROTECTED]
Business Email: [EMAIL PROTECTED]
Phone: 714-547-5386
Efax: 801-730-7289
Personal URL: http://www.warrick.net
Business URL: http://www.fusioneers.com
ICQ: 125160 / AIM: markwarric
=========================================
> -----Original Message-----
> From: Jeff Beer [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, August 02, 2001 9:44 AM
> To: CF-Talk
> Subject: RE: default.ida?
>
>
> You had better never give out your FQDN either.. you can find the IP
> from that pretty easily.. lol
>
> Jeff Beer
> Senior Programmer Architect
> Hydrogen Media, Inc
> (727) 530-5500 x303
> [EMAIL PROTECTED]
>
>
> > -----Original Message-----
> > From: Tangorre, Mike [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, August 02, 2001 11:18 AM
> > To: CF-Talk
> > Subject: RE: default.ida?
> >
> >
> > sorry for asking!!! I didn't think you'd take me seriosuly!!!!!
> > Wow, I'd change the IPs also; that is good advice.
> >
> >
> >
> > Michael T. Tangorre
> > --------------------------------------------
> > Web Applications Developer
> > Office Phone: 703-558-4746
> > Cellular Phone: 607-426-9277
> > AIM: CrazyFlash4
> > Personal Email: [EMAIL PROTECTED]
> > Work Email: [EMAIL PROTECTED]
> > School Email: [EMAIL PROTECTED]
> > --------------------------------------------
> > This Email contains MillenniuM Information
> > Systems, LLC Privileged Information which
> > is Customer or Business Sensitive.
> > --------------------------------------------
> >
> >
> > -----Original Message-----
> > From: Stephen Moretti [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, August 02, 2001 11:05 AM
> > To: CF-Talk
> > Subject: RE: default.ida?
> >
> >
> > Might be an idea to go away and change the IP addresses on
> > your servers now
> > and abandon these two for all eternity....
> >
> > Never put this kind of information out on the list. You are openning
> > yourself up to abuse by the few unscrupulous people on this list...
> >
> > Stephen
> >
> > > -----Original Message-----
> > > From: Edward Chanter [mailto:[EMAIL PROTECTED]]
> > > Sent: 02 August 2001 15:50
> > > To: CF-Talk
> > > Subject: RE: default.ida?
> > >
> > >
> > > 193.122.20.5 - Production
> > > 193.122.20.8 - Development
> > >
> > > Why?
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: Tangorre, Mike [mailto:[EMAIL PROTECTED]]
> > > > Sent: Thursday, August 02, 2001 3:34 PM
> > > > To: CF-Talk
> > > > Subject: RE: default.ida?
> > > >
> > > >
> > > > whats yur ip? :-)
> > > >
> > > >
> > > > Michael T. Tangorre
> > > > --------------------------------------------
> > > > Web Applications Developer
> > > > Office Phone: 703-558-4746
> > > > Cellular Phone: 607-426-9277
> > > > AIM: CrazyFlash4
> > > > Personal Email: [EMAIL PROTECTED]
> > > > Work Email: [EMAIL PROTECTED]
> > > > School Email: [EMAIL PROTECTED]
> > > > --------------------------------------------
> > > > This Email contains MillenniuM Information
> > > > Systems, LLC Privileged Information which
> > > > is Customer or Business Sensitive.
> > > > --------------------------------------------
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Edward Chanter [mailto:[EMAIL PROTECTED]]
> > > > Sent: Thursday, August 02, 2001 10:32 AM
> > > > To: CF-Talk
> > > > Subject: RE: default.ida?
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > > I don't actually think it's hysteria mate, do you want to see
> > > > > > a copy of my
> > > > > > IDS logs????
> > > > >
> > > > > Not really, no. They tend to be boring and full of kidz
> > getting 404's.
> > > >
> > > > :-) I did say IDS logs though, they filter out all the crap and
> > > > only show me
> > > > the ISAPI Extension Overflow errors.....
> > > >
> > > > > > There are a large number of attacks going on as
> > > > > > I write this
> > > > >
> > > > > Woo-wee - where have you been ? An ongoing scan of your
> > system is
> > > > > a *FACT OF
> > > > > LIFE* for a system on the internet.
> > > > > My dial-up gateway at home gets scanned !
> > > >
> > > > Tell me about it, then again, my server very rarely blocks
> > > anyone, so far
> > > > today it's implemented over 300 24 bans on various IP addresses
> > > > in the last
> > > > 12 hours..... That is unusual.....
> > > >
> > > > > > and anyone running an unpatched/unprotected IIS server needs
> > > > > > to do something
> > > > > > about it asap.
> > > > >
> > > > > No, anyone running an unpatched/unprotected IIS server on a
> > > > public network
> > > > > needs to fired, as their not doing their job. The patch was all
> > > > > over BugTraq
> > > > > et al. well before Code Red was released.
> > > >
> > > > Agreed!
> > > >
> > > > > But, if you look at the domains from which these scans
> > originate,
> > > > > most have
> > > > > no reverse look-up, or are from ISP's like @home <shrug> and
> > > > > those are just
> > > > > the people who wont care, because Code Red version 2 is non
> > > > destructive to
> > > > > the local machine.
> > > >
> > > > Lot's of Chinese, Japanese, Koreans, Mexicans and a few US and
> > > EU academic
> > > > one's as well...... There are even some coming in as 0.0.0.0
> > > >
> > > > I have had a few responses from some of the ones I
> > thought would take
> > > > action, some very sheepish IISadmins out there :-)
> > > >
> > > > We're averaging a new attempt every minute or so....
> > > >
> > > > -= Ed
> > > >
> > >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
