A few days ago I posted a note here about Internet security and the relative safety of running a Mac on the Internet. Here's an interesting followup.
I have my Linux machine set up as a Web server on the cable modem so I can easily serve up pictures of the grandkids to Grandma. This means I have Apache running on port 80, as is standard. I also have a default page basically telling people to go away. You can look at it here <http://24.7.122.88> As part of this, Apache keeps logs of what's happening on the Web port. My most recent access_log started on September 16 and runs through now. During this time, the most recent Internet worm scare appeared, and I started getting attempts from infected machines to get into my machine. The attempts pretty much all look like this in the log. 24.7.243.74 - - [21/Sep/2001:23:05:18 -0400] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 "-" "-" This means that the machine at 24.7.243.74 (c1080990-a.grapid1.mi.home.com), which lives on a cable modem in Grand Rapids, Michigan, is trying to get in. This time, it's looking for a Windows NT machine. Other attacks look for other flavors of Windows. There's nothing startling about this, except for the sheer number of attacks. Here are some numbers to give you some feeling for how many infected machines are out there. First, here's the total number of log entries [root at sauron httpd]# wc -l access_log 20135 And now, here are the number of attacks from the worm [root at sauron httpd]# grep cmd.exe access_log|wc -l 18624 These attacks are from over a hundred different machines spread all over the world and took place in less more than five days -- that's over 3600 hits per day! Of course, none of the attacks got anywhere, because they're all looking for a Windows machine and I'm running Linux on the Web server. It looks to me as though running a Windows machine on the 'Net is like painting a target on your back. In the time it took to write the preceding paragraph... [root at sauron httpd]# grep cmd.exe access_log|wc -l 18652 -- Lee Larson, Mathematics Department, University of Louisville http://www.louisville.edu/~lmlars01 (502)852-6826 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/enriched Size: 2285 bytes Desc: not available Url : http://www.math.louisville.edu/pipermail/macgroup/attachments/20010922/f28e616a/attachment.bin
