Mailinglist Archive: opensuse-security (511 mails)

< Previous Next >
Re: [suse-security] Re: INFORMATION
  • From: James Bliss <jamesbliss@xxxxxxxxxxxx>
  • Date: Sat, 11 Aug 2001 19:11:53 -0500
  • Message-id: <3B75C9C9.C25EBC8A@xxxxxxxxxxxx>
This looks like a firewall entry. What I have observed, thanks to a friend
of mine, is that the Code Red virus results in three identical entries (such

as the one below) one right after the other (in sequence in the log). My
machine has been receiving them and recording them in the firewall log at
the rate of 5 or 6 an hour (sometimes up to 10 - 15 per hour).

Yes, Linux is so much nicer than Microsoft with IIS.

Jim

maf king wrote:

> Hi Ricardo,
>
> On 2001.08.11 18:25:20 +0100 Ricardo Romero wrote:
> > Hi, John and ALL.
> >
> > Thanks for explanation, but i´m using SuSE 7.1, and this log was
> > originaly from my Linux BOX.
> >
> > >>On Friday 10 August 2001 20:12, Ricardo Romero wrote:
> > >[snip]
> > >> Aug 10 20:05:59 ricromero kernel: Packet log: rulchain REJECT eth0
> > >> PROTO=6 200.207.153.166:4215 MY_IP_ADDRESS:80 L=48 S=0x00 I=29432
> > >> F=0x4000 T=121 SYN (#5)
> > >
>
> > >
> > >Probably a Code Red infected Win 2K/NT IIS system looking for new
> > victims.
> > >You really have to wonder what the IIS admins have been doing.
> > >
> > >John
> > >
>
> This means a IIS with code red *enhancements* (joke) is trying to infect
> your machine -
> but it can't, since 1) the packet get blocked by your firewall, 2) you
> don't have IIS.
>
> I Repeat, this does not mean that you have been infected!
>
> HTH,
> Maf.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Maf. King
> Standby Exhibition Services
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> "It is easier to do a job right than to explain why you didn't."
>
> - Martin Van Buren
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx


< Previous Next >