Andrew Tait wrote: > The entries you are seeing are caused by the army of infected MS IIS server > (Codered, Nimda, etc) try to hack into other IIS servers at random. I see > these on every web server I manage that aren't behind a firewall (ie, > blocking port 80). >
Yes, Andrew...the web server was not behind one. What a world _wild web! Just complementing the information you gave, without provoking an IIS (off) topic: do you believe that the source IPs of the requests relateds to that log entries belongs to exploiters or at least other infected machines (question mark - none in my keyboard). I've checked up one of that IPs; it's being used right now by a web server pretty much infected with I-Worm.Nimda.A! AVG identification. The standard page delivers a "readme.eml" file in a pop-up window; less then a minute to have an infected "readme.exe" being executed. I've heard about it, but never had seen until then. From a Linux box is safe to acess http 216.72.135.102 and verify that the host is infecting all the Window$ based visitors machines, using X/wav OE vulnerability, so far I know (*Atention* Do not try from a Win box; it's vulnerable). By the way, what to do about it... --- Luiz ps: my previous post has a wrong month sent date (Abril); remove it from the top of your message list and forgive me - I was in fact convinced that was April while finishing configuration for a new Debian box... sole problem I faced,obviously mine. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
