Hi All These logs are similar to what the uni's log files looked like after it got attacked by the nimda virus.
The attcking machines is looking for back door left by the code red virus. Its looking for a cmd.exe or a root.exe Its most likely not "script kiddie" but the virus itself trying to replicate itself. Mahesh > Johnno writes: > > > I am getting alot of this in my access log.. what > is it ?? someone trying to > > hack there way in or just internet noise?? > > Looks like someone's trying to use a buffer overflow > exploit of some kind. One > that's designed for MS software by the look of it. > > I just grepped my own Apache log for "default.ida" > and got 654 entries of that > big line full of XXX's. It's amazing... I've been > getting them every few minutes > in the evenings, from all sorts of different > addresses. First entry was on 2nd > August, most recent was last night, from > 210-55-192-210.static- > dialup.xtra.co.nz and its trying to get a directory > listing (it tried about ten zillion > times). I think I'll start blocking a few ports > from outside tonight. > > All the requests are identical so its either a > script-kiddie exploit or a virus > trying to propagate. > > Cheers, > > > - Dave > > David A. Mann, B.E. (Elec) > http://www.digistar.com/~dmann/ > > "Why is it that if an adult behaves like a child > they lock him up, > while children are allowed to run free on the > streets?" -- Garfield ===== For Linux CD's check out http://www.xsolutions.co.nz/linux http://travel.yahoo.com.au - Yahoo! Travel - Got Itchy feet? Get inspired!
