> Andrew Tait wrote: > > > The entries you are seeing are caused by the army of infected MS IIS server > > (Codered, Nimda, etc) try to hack into other IIS servers at random. I see > > these on every web server I manage that aren't behind a firewall (ie, > > blocking port 80). > > > > Yes, Andrew...the web server was not behind one. What a world _wild > web! > > Just complementing the information you gave, without provoking an > IIS (off) topic: do you believe that the source IPs of the requests > relateds to that log entries belongs to exploiters or at least other > infected machines (question mark - none in my keyboard).
A combination of all three most likely. Most of the time it will be an infected IIS server. But I'm sure the script kiddies will try every now and again. > I've checked up one of that IPs; it's being used right now by a web > server pretty much infected with I-Worm.Nimda.A! AVG identification. > The standard page delivers a "readme.eml" file in a pop-up window; > less then a minute to have an infected "readme.exe" being executed. > > I've heard about it, but never had seen until then. That's the nimda virus all right. I still manage a few NT servers and Windows clients and have to keep up with related security matters. > From a Linux box is safe to acess http 216.72.135.102 and verify > that the host is infecting all the Window$ based visitors machines, > using X/wav OE vulnerability, so far I know (*Atention* Do not try > from a Win box; it's vulnerable). > > By the way, what to do about it... Make sure your not running IIS :-) If you are, patch it! Apart from that I just ignore it, and secretly wish that some script kiddie will wipe the hard drive of the infected machine. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
