At 9:35 AM -0400 25/4/01, Joseph D'Andrea wrote:
>Snippets of this morning's log file. I guess it's time to do some
>firewall stuff on the SIMS machine. I guess moving the HTTP port
>somewhere else won't help. Although maybe it will. They probably
>tried some well known http ports and found this one. Besides turning
>off HTTP for SIMS, what do you others do?
>
>___Joe___
>
>
>
>07:05:44 3 HTTP /scripts/samples/ctguestb.idc not found
>07:05:44 3 HTTP /cgi-bin/webplus not found
>07:05:44 3 HTTP /scripts/fpadmcgi.exe not found
...
As SIMS isn't logging the IP address of this attack I guess you can't
report it to their ISP (Perhaps IP address logging for these errors
would be a nice addition). But you can certainly ignore it. It is
just an attempt to probe it for IIS (thanks Microsoft) holes and then
automatically exploit them to put up their "du0d, w3 ar3 k00l!" page.
If you have SIMS HTTP on port 80 though, I'd move it, most probes
will go after port 80 only.
Andrew
--
_______________________________________________________________
Andrew Wellington <[EMAIL PROTECTED]>
- Network Admin, Dubbo South High School <www.dshs.nsw.edu.au>
- Lead Student, ILC Creative Systems <www.dshs.nsw.edu.au/ilc>
PGP key at certserver.pgp.com keyserver.net <0x77168373>
_______________________________________________________________
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
