> > > windows 2000 system not accessed to externally. Sorry, that confused me. I was under the impression that IPCop was forwarding external ports to an internal windows machine. Yes, it's just a scan but best practice would be to still make sure everything is uptodate and block the IP on the firewall.
Quoting Jason Louie <[EMAIL PROTECTED]>: > Actually there is no access to my Win2000 computer from the outside. > Port 80/21/22 goes to my linux WWW/FTP server, (Running RH8.0) That > being said what expliots should I be worried about with my linux box? > > Jason > > [EMAIL PROTECTED] wrote: > > > > First off it looks like a blanket scan to me, where they are scanning for > > possible exploits in windows' systems (IIS) and proxy servers. Most likely > > they have already identified your system as a windows machine running > > particular servers. > > > > Secondly I would say that you should make sure you are running the most > > uptodate versions of the software you have running on the system (looks > like > > ftp, www, ssh). This would help curve the possibility of exploitation. > Since > > it's microsoft software, check windows update. > > > > All that being said, why not just block the attackers IP on your IPCop > > Firewall? > > > > Quoting Jason Louie <[EMAIL PROTECTED]>: > > > > > It looks like my system is being hacked for the past 6 days. But am I > > > safe running a linux box? Running Redhat 8.0 apache port forwarded. A > > > windows 2000 system not accessed to externally. Running IP-Cop 1.3.0 > > > with full updates. > > > Port 21, 80, 22 forwarded to my linux web-server. > > > > > > Seem like these people are running something to test my systems > > > durability. Can someone offer some suggestions? > > > > > > Jason > > > > > > > > > Total of number of Intrusion rules activated for June 6: 73 > > > Date: 06/06 02:17:16 Name: WEB-IIS CodeRed v2 root.exe access > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.113.xxx.xxx:1475 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1256 > > > Date: 06/06 02:17:17 Name: WEB-IIS CodeRed v2 root.exe access > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.113.xxx.xxx:1494 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1256 > > > Date: 06/06 02:17:17 Name: WEB-IIS cmd.exe access > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.113.xxx.xxx:1513 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1002 > > > Date: 06/06 02:17:17 Name: WEB-IIS cmd.exe access > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.113.xxx.xxx:1523 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1002 > > > Date: 06/06 02:17:18 Name: WEB-IIS unicode directory traversal > attempt > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.113.xxx.xxx:1536 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1945 > > > Date: 06/06 02:17:18 Name: WEB-FRONTPAGE /_vti_bin/ access > > > Priority: 2 Type: access to a potentially vulnerable web > > application > > > IP info: 68.113.xxx.xxx:1554 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1288 > > > Date: 06/06 02:17:19 Name: WEB-IIS _mem_bin access > > > Priority: 2 Type: access to a potentially vulnerable web > > application > > > IP info: 68.113.xxx.xxx:1574 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1286 > > > Date: 06/06 02:17:19 Name: WEB-IIS unicode directory traversal > attempt > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.113.xxx.xxx:1586 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 982 > > > Date: 06/06 02:17:41 Name: WEB-IIS unicode directory traversal > attempt > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.113.xxx.xxx:1598 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 982 > > > Date: 06/06 02:17:41 Name: WEB-IIS cmd.exe access > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.113.xxx.xxx:2233 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1002 > > > Date: 06/06 02:17:42 Name: WEB-IIS unicode directory traversal > attempt > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.113.xxx.xxx:2251 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 981 > > > Date: 06/06 02:17:43 Name: WEB-IIS unicode directory traversal > attempt > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.113.xxx.xxx:2272 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 983 > > > Date: 06/06 02:17:43 Name: WEB-IIS cmd.exe access > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.113.xxx.xxx:2282 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1002 > > > Date: 06/06 02:17:44 Name: WEB-IIS cmd.exe access > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.113.xxx.xxx:2308 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1002 > > > Date: 06/06 02:17:47 Name: WEB-IIS cmd.exe access > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.113.xxx.xxx:2326 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1002 > > > Date: 06/06 02:17:48 Name: WEB-IIS cmd.exe access > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.113.xxx.xxx:2406 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1002 > > > Date: 06/06 05:08:24 Name: WEB-IIS CodeRed v2 root.exe access > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.48.xxx.xxx:2350 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1256 > > > Date: 06/06 05:08:25 Name: WEB-IIS CodeRed v2 root.exe access > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.48.xxx.xxx:2372 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1256 > > > Date: 06/06 05:08:25 Name: WEB-IIS cmd.exe access > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.48.xxx.xxx:2378 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1002 > > > Date: 06/06 05:08:26 Name: WEB-IIS cmd.exe access > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.48.xxx.xxx:2386 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1002 > > > Date: 06/06 05:08:26 Name: WEB-IIS unicode directory traversal > attempt > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.48.xxx.xxx:2393 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1945 > > > Date: 06/06 05:08:29 Name: WEB-FRONTPAGE /_vti_bin/ access > > > Priority: 2 Type: access to a potentially vulnerable web > > application > > > IP info: 68.48.xxx.xxx:2416 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1288 > > > Date: 06/06 05:08:30 Name: WEB-IIS _mem_bin access > > > Priority: 2 Type: access to a potentially vulnerable web > > application > > > IP info: 68.48.xxx.xxx:2524 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1286 > > > Date: 06/06 05:08:30 Name: WEB-IIS unicode directory traversal > attempt > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.48.xxx.xxx:2527 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 982 > > > Date: 06/06 05:08:30 Name: WEB-IIS unicode directory traversal > attempt > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.48.xxx.xxx:2533 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 982 > > > Date: 06/06 05:08:30 Name: WEB-IIS cmd.exe access > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.48.xxx.xxx:2539 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1002 > > > Date: 06/06 05:08:31 Name: WEB-IIS unicode directory traversal > attempt > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.48.xxx.xxx:2546 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 981 > > > Date: 06/06 05:08:31 Name: WEB-IIS unicode directory traversal > attempt > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.48.xxx.xxx:2550 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 983 > > > Date: 06/06 05:08:31 Name: WEB-IIS cmd.exe access > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.48.xxx.xxx:2555 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1002 > > > Date: 06/06 05:08:31 Name: WEB-IIS cmd.exe access > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.48.xxx.xxx:2561 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1002 > > > Date: 06/06 05:08:31 Name: WEB-IIS cmd.exe access > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.48.xxx.xxx:2569 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1002 > > > Date: 06/06 05:08:32 Name: WEB-IIS cmd.exe access > > > Priority: 1 Type: Web Application Attack > > > IP info: 68.48.xxx.xxx:2576 -> xxx.xxx.xxx.xxx:80 > > > References: none found SID: 1002 > > > Date: 06/06 05:15:14 Name: MS-SQL Worm propagation attempt > > > Priority: 2 Type: Misc Attack > > > IP info: 66.111.41.xxx:1517 -> xxx.xxx.xxx.xxx:1434 > > > References: none found SID: 2003 > > > Date: 06/06 06:28:34 Name: SCAN SOCKS Proxy attempt > > > Priority: 2 Type: Attempted Information Leak > > > IP info: 200.157.xxx.xxx:55095 -> xxx.xxx.xxx.xxx:1080 > > > References: none found SID: 615 > > > Date: 06/06 06:28:34 Name: SCAN Squid Proxy attempt > > > Priority: 2 Type: Attempted Information Leak > > > IP info: 200.157.xxx.xxx:37028 -> xxx.xxx.xxx.xxx:3128 > > > *snip* > > > >
