You can sleep good. These are attacks for the legacy webserver running on the legacy os. Quite ineffective against Linux. As long as there are no ports forworded to the legacy machine you are ok... Cheers Szemir Ps.: I get about 200K a month of those on my apache logs and snort logs ...
On Friday 06 June 2003 17:35, you wrote: > It looks like my system is being hacked for the past 6 days. But am I > safe running a linux box? Running Redhat 8.0 apache port forwarded. A > windows 2000 system not accessed to externally. Running IP-Cop 1.3.0 > with full updates. > Port 21, 80, 22 forwarded to my linux web-server. > > Seem like these people are running something to test my systems > durability. Can someone offer some suggestions? > > Jason > > > Total of number of Intrusion rules activated for June 6: 73 > Date: 06/06 02:17:16 Name: WEB-IIS CodeRed v2 root.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1475 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1256 > Date: 06/06 02:17:17 Name: WEB-IIS CodeRed v2 root.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1494 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1256 > Date: 06/06 02:17:17 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1513 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 02:17:17 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1523 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 02:17:18 Name: WEB-IIS unicode directory traversal attempt > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1536 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1945 > Date: 06/06 02:17:18 Name: WEB-FRONTPAGE /_vti_bin/ access > Priority: 2 Type: access to a potentially vulnerable web application > IP info: 68.113.xxx.xxx:1554 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1288 > Date: 06/06 02:17:19 Name: WEB-IIS _mem_bin access > Priority: 2 Type: access to a potentially vulnerable web application > IP info: 68.113.xxx.xxx:1574 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1286 > Date: 06/06 02:17:19 Name: WEB-IIS unicode directory traversal attempt > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1586 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 982 > Date: 06/06 02:17:41 Name: WEB-IIS unicode directory traversal attempt > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:1598 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 982 > Date: 06/06 02:17:41 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2233 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 02:17:42 Name: WEB-IIS unicode directory traversal attempt > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2251 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 981 > Date: 06/06 02:17:43 Name: WEB-IIS unicode directory traversal attempt > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2272 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 983 > Date: 06/06 02:17:43 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2282 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 02:17:44 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2308 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 02:17:47 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2326 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 02:17:48 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.113.xxx.xxx:2406 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:24 Name: WEB-IIS CodeRed v2 root.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2350 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1256 > Date: 06/06 05:08:25 Name: WEB-IIS CodeRed v2 root.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2372 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1256 > Date: 06/06 05:08:25 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2378 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:26 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2386 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:26 Name: WEB-IIS unicode directory traversal attempt > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2393 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1945 > Date: 06/06 05:08:29 Name: WEB-FRONTPAGE /_vti_bin/ access > Priority: 2 Type: access to a potentially vulnerable web application > IP info: 68.48.xxx.xxx:2416 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1288 > Date: 06/06 05:08:30 Name: WEB-IIS _mem_bin access > Priority: 2 Type: access to a potentially vulnerable web application > IP info: 68.48.xxx.xxx:2524 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1286 > Date: 06/06 05:08:30 Name: WEB-IIS unicode directory traversal attempt > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2527 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 982 > Date: 06/06 05:08:30 Name: WEB-IIS unicode directory traversal attempt > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2533 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 982 > Date: 06/06 05:08:30 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2539 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:31 Name: WEB-IIS unicode directory traversal attempt > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2546 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 981 > Date: 06/06 05:08:31 Name: WEB-IIS unicode directory traversal attempt > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2550 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 983 > Date: 06/06 05:08:31 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2555 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:31 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2561 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:31 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2569 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:08:32 Name: WEB-IIS cmd.exe access > Priority: 1 Type: Web Application Attack > IP info: 68.48.xxx.xxx:2576 -> xxx.xxx.xxx.xxx:80 > References: none found SID: 1002 > Date: 06/06 05:15:14 Name: MS-SQL Worm propagation attempt > Priority: 2 Type: Misc Attack > IP info: 66.111.41.xxx:1517 -> xxx.xxx.xxx.xxx:1434 > References: none found SID: 2003 > Date: 06/06 06:28:34 Name: SCAN SOCKS Proxy attempt > Priority: 2 Type: Attempted Information Leak > IP info: 200.157.xxx.xxx:55095 -> xxx.xxx.xxx.xxx:1080 > References: none found SID: 615 > Date: 06/06 06:28:34 Name: SCAN Squid Proxy attempt > Priority: 2 Type: Attempted Information Leak > IP info: 200.157.xxx.xxx:37028 -> xxx.xxx.xxx.xxx:3128 > *snip*
