I don't completely agree with your comment regarding "only knock off bandwidth"
When you start getting code red attacks coming from about 500 different concurrent locations, you will see why. I had a DSL router and a T1 go down because of the load caused by this crap. It does not matter if you block that garbage. It can still cause grief. Especially if you host your own mail, ftp and www - and the Inet connection goes down @ 1:30 A.M. and you live 30 miles from work. (sorry for the run-on) Never take that crap lightly. I started reporting my hit lists to our ISP in an effort to get some of these systems off the net. IT people need to take more responsibility for this problem. If we do not work to eliminate this type of traffic, things will only get worse. I consider it part of my job. Just a thought. Danny -----Original Message----- From: Anthony Kimber [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 17, 2002 9:12 AM To: 'Marc Suxdorf' Cc: [EMAIL PROTECTED] Subject: RE: [gb-users] Not Gnatbox but security related Here are some webstats from one of our customers webservers. As you can see we often get this happenning as some people out there really should put their computer back in the box and take it back to the shop for a refund as they are too stupid to install av products. I am not worried about these hits and nor is the isp as they can do no damage ( only knock off bandwidth) Cheers PS This server has only been running 2 weeks so it will be interesting what other rubbish hits it in the future Bad URLs This report lists the requests that generated 404 Not Found error messages (because the requested files didn't exist). Summary: This report shows the top 10 bad URLs requested. 25 distinct bad URLs were found. Quantity % of Total Item 180 2.76% /winnt/system32/cmd.exe?/c+dir 96 1.47% /scripts/root.exe?/c+dir 96 1.47% /MSADC/root.exe?/c+dir 95 1.46% /c/winnt/system32/cmd.exe?/c+dir 92 1.41% /d/winnt/system32/cmd.exe?/c+dir 90 1.38% /scripts/winnt/system32/cmd.exe?/c+dir 90 1.38% /msadc/..%5c../..%5c../..%5c/..� ../..� ../..� ../winnt/system32/cmd.exe ?/c+dir 90 1.38% /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir 20 0.31% /robots.txt 4 0.06% /favicon.ico Anthony Kimber Consultant, ARL Computer Consultants Ltd Web : http://www.arl-consultants.co.uk Phone : 0191 536 5115 Fax: : 0191 536 5115 Mobile : 07798 848034 -----Original Message----- From: Marc Suxdorf [mailto:[EMAIL PROTECTED]] Sent: 17 January 2002 16:09 To: [EMAIL PROTECTED] Subject: [gb-users] Not Gnatbox but security related Hi everyone I have to administer our small company network in my spare time which hopefully explains my little security knowledge... I have just come across a scary entry in our Windows 2000 Server Internet Information Services 5.0 log: 2002-01-17 10:52:31 62.161.107.167 - 10.10.1.1 80 GET /scripts/root.exe /c+dir 403 www - 2002-01-17 10:52:46 62.161.107.167 - 10.10.1.1 80 GET /MSADC/root.exe /c+dir 403 www - 2002-01-17 10:52:54 62.161.107.167 - 10.10.1.1 80 GET /c/winnt/system32/cmd.exe /c+dir 403 www - 2002-01-17 10:53:03 62.161.107.167 - 10.10.1.1 80 GET /d/winnt/system32/cmd.exe /c+dir 403 www - 2002-01-17 10:53:18 62.161.107.167 - 10.10.1.1 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 403 www - Is someone currently executing terrible things on our server? I would be very greatfull for any quick help and/or explanation! Thanks a lot and best wishes to everyone Marc Suxdorf Studios f�r Design Milchstrasse 6b D-20148 Hamburg Tel +49 (40) 41345-100 Fax +49 (40) 41345-101 Email [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
