RE: [suse-security] does anybody know such a log
Who's sleeping here? This isn't neither nimda nor code red. This is a scan. it came from a dial up account. Nimda and Code red never came from dial up accounts. They always came from static IP addresses. (Thanks, Thomas, for your suggestion.) Philipp
-----Original Message----- From: Wolfgang Kueter [mailto:wolfgang@shconnect.de] Sent: Friday, October 11, 2002 3:51 AM To: suse-security@suse.com Subject: Re: [suse-security] does anybody know such a log
On Fri, 11 Oct 2002 mailinglists@belfin.ch wrote:
Hello
our reverse proxy picked this up
[typical Nimda Code Red stuff] Is there some new IIS/Windows worm spreading?
New? How deep have you been sleeping during the last 14 months? The requests you see are typical Code Red and Nimda requests.
http://www.google.de/search?q=msadc+Nimda&ie=UTF-8&oe=UTF-8&hl =de&btnG=Google-Suche&meta=
You might like to tell you proxy to block these though the requests don't harm Apache.
Wolfgang -- shconnect Internet Service web: http://www.shconnect.de EMail: info@shconnect.de Bundesstrasse 2, 24392 Dollrottfeld, Fed. Rep. Germany phone: +49 4641 644
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Friday 11 October 2002 13:28, mailinglists@belfin.ch wrote:
Who's sleeping here? This isn't neither nimda nor code red. This is a scan. it came from a dial up account. Nimda and Code red never came from dial up accounts. They always came from static IP addresses.
Why nimda or code red _must_ come from static ip addresses? Think of IIS installed on WinPCs which are 24/7 up and accessible via DynDNS names. Such systems are vulnerable too... Hannes
Hi, What Hannes says is true. There are quite a few nimda infected computers out there that are connected to the internet via T-DSL, even some with ISDN. With "flatrates" getting affordable, people often have their PCs connected their PCs almost 24h to (e.g. for download or P2P). Also running a Webserver on such hosts isn't as uncommon as it used to be. peace, Tom Johannes Studt wrote:
On Friday 11 October 2002 13:28, mailinglists@belfin.ch wrote:
Who's sleeping here? This isn't neither nimda nor code red. This is a scan. it came from a dial up account. Nimda and Code red never came from dial up accounts. They always came from static IP addresses.
Why nimda or code red _must_ come from static ip addresses? Think of IIS installed on WinPCs which are 24/7 up and accessible via DynDNS names. Such systems are vulnerable too...
Hannes
On Fri, 11 Oct 2002 mailinglists@belfin.ch wrote:
Who's sleeping here?
Not me.
This isn't neither nimda nor code red.
I'm pretty sure it is.
This is a scan. it came from a dial up account. Nimda and Code red never came from dial up accounts.
Wrong, there were and stil are lots aof systems even of home users beeing infected with these. Though it hard be believe for Linux users, there are lots of people arounf running an IIS on a dial-up machine, often they even know that they are ruuning it. Win2000 installs IIS by default. About systems infected by Nimda please read: http://vil.nai.com/vil/content/v_99209.htm
They always came from static IP addresses.
Simply wrong. Randomly picked from my snort log: --8<-- [**] [1:1243:2] WEB-IIS ISAPI .ida attempt [**] [Classification: Web Application Attack] [Priority: 1] 08/10-03:35:37.639599 64.123.252.223:3301 -> 212.60.6.115:80 --8<-- reverse DNS: wolfgang@kiste:~> host 64.123.252.223 223.252.123.64.in-addr.arpa. domain name pointer adsl-64-123-252-223.dsl.kscymo.swbell.net. -> DSL Customer, dynamic IP, Home user wolfgang@kiste:~> host 212.60.47.97 97.47.60.212.in-addr.arpa. domain name pointer 097.catv47.bur01.lan.ch How many such entries do you want me to post to this list? Do you want me to send you my you my snort logs? You can sort the homeusers sending Nimda/Code-Red requests to my webservers out if you like. Wolfgang
participants (4)
-
Johannes Studt -
mailinglists@belfin.ch -
Thomas Seliger -
Wolfgang Kueter