First off it looks like a blanket scan to me, where they are scanning for possible exploits in windows' systems (IIS) and proxy servers. Most likely they have already identified your system as a windows machine running particular servers.
Secondly I would say that you should make sure you are running the most uptodate versions of the software you have running on the system (looks like ftp, www, ssh). This would help curve the possibility of exploitation. Since it's microsoft software, check windows update. All that being said, why not just block the attackers IP on your IPCop Firewall? Quoting Jason Louie <[EMAIL PROTECTED]>: > It looks like my system is being hacked for the past 6 days. But am I > safe running a linux box? Running Redhat 8.0 apache port forwarded. A > windows 2000 system not accessed to externally. Running IP-Cop 1.3.0 > with full updates. > Port 21, 80, 22 forwarded to my linux web-server. > > Seem like these people are running something to test my systems > durability. Can someone offer some suggestions? > > Jason > > > Total of number of Intrusion rules activated for June 6: 73 > Date: 06/06 02:17:16 Name: WEB-IIS CodeRed v2 root.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1475 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1256 > Date: 06/06 02:17:17 Name: WEB-IIS CodeRed v2 root.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1494 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1256 > Date: 06/06 02:17:17 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1513 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 02:17:17 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1523 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 02:17:18 Name: WEB-IIS unicode directory traversal attempt > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1536 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1945 > Date: 06/06 02:17:18 Name: WEB-FRONTPAGE /_vti_bin/ access > Priority: 2 Type: access to a potentially vulnerable web application > IP info: 68.113.xxx.xxx:1554 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1288 > Date: 06/06 02:17:19 Name: WEB-IIS _mem_bin access > Priority: 2 Type: access to a potentially vulnerable web application > IP info: 68.113.xxx.xxx:1574 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1286 > Date: 06/06 02:17:19 Name: WEB-IIS unicode directory traversal attempt > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1586 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 982 > Date: 06/06 02:17:41 Name: WEB-IIS unicode directory traversal attempt > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1598 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 982 > Date: 06/06 02:17:41 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2233 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 02:17:42 Name: WEB-IIS unicode directory traversal attempt > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2251 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 981 > Date: 06/06 02:17:43 Name: WEB-IIS unicode directory traversal attempt > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2272 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 983 > Date: 06/06 02:17:43 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2282 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 02:17:44 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2308 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 02:17:47 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2326 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 02:17:48 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2406 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:24 Name: WEB-IIS CodeRed v2 root.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2350 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1256 > Date: 06/06 05:08:25 Name: WEB-IIS CodeRed v2 root.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2372 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1256 > Date: 06/06 05:08:25 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2378 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:26 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2386 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:26 Name: WEB-IIS unicode directory traversal attempt > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2393 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1945 > Date: 06/06 05:08:29 Name: WEB-FRONTPAGE /_vti_bin/ access > Priority: 2 Type: access to a potentially vulnerable web application > IP info: 68.48.xxx.xxx:2416 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1288 > Date: 06/06 05:08:30 Name: WEB-IIS _mem_bin access > Priority: 2 Type: access to a potentially vulnerable web application > IP info: 68.48.xxx.xxx:2524 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1286 > Date: 06/06 05:08:30 Name: WEB-IIS unicode directory traversal attempt > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2527 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 982 > Date: 06/06 05:08:30 Name: WEB-IIS unicode directory traversal attempt > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2533 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 982 > Date: 06/06 05:08:30 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2539 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:31 Name: WEB-IIS unicode directory traversal attempt > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2546 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 981 > Date: 06/06 05:08:31 Name: WEB-IIS unicode directory traversal attempt > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2550 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 983 > Date: 06/06 05:08:31 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2555 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:31 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2561 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:31 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2569 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:32 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2576 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:15:14 Name: MS-SQL Worm propagation attempt > Priority: 2 Type: Misc Attack > IP info: 66.111.41.xxx:1517 -> xxx.xxx.xxx.xxx:1434 > References: none found SID: 2003 > Date: 06/06 06:28:34 Name: SCAN SOCKS Proxy attempt > Priority: 2 Type: Attempted Information Leak > IP info: 200.157.xxx.xxx:55095 -> xxx.xxx.xxx.xxx:1080 > References: none found SID: 615 > Date: 06/06 06:28:34 Name: SCAN Squid Proxy attempt > Priority: 2 Type: Attempted Information Leak > IP info: 200.157.xxx.xxx:37028 -> xxx.xxx.xxx.xxx:3128 > *snip* >
