Mailinglist Archive: opensuse-security (511 mails)
| < Previous | Next > |
Re: [suse-security] Code Red?
- From: "Alfred JILKA" <jilalf@xxxxxxxxxxxxxxx>
- Date: Thu, 9 Aug 2001 13:02:00 +0200
- Message-id: <3B7289C8.23423.EA13AD8@localhost>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Same here. Our firewall logs similiar lines. And I'm pretty sure it
is CodeRed as our Apache log _lots_ of tries to "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a HTTP/1.0"
Regards, Alfred
Am 9 Aug 2001, um 8:37 hat Philipp Snizek geschrieben:
> Dear list users,
>
> since several days we have a lot of log entries originating from
> various IP addresses looking like this:
>
> 08/08/2001 00:09:34.464 - TCP connection dropped -
> Source:195.219.121.17, 1429, WAN - Destination: our ip address, 80,
> LAN - 'Web (HTTP)' - Rule 0 08/08/2001 00:11:53.928 - TCP
> connection dropped - Source:195.55.190.134, 3585, WAN - Destination:
> our ip address, 80, LAN - 'Web (HTTP)' - Rule 0 08/08/2001
> 00:17:43.384 - TCP connection dropped - Source:195.144.38.219, 2950,
> WAN - Destination: our ip address, 80, LAN - 'Web (HTTP)' - Rule 0
> 08/08/2001 00:26:19.432 - TCP connection dropped -
> Source:195.58.181.178, 3026, WAN - Destination: our ip address, 80,
> LAN - 'Web (HTTP)' - Rule 0
>
>
> 3 of these 4 IP addresses run IIS Webserver. One seems to be down.
> Since this is a firewall log and I have no other logfiles it is hard
> to me to determine whether this could be Code Red. Has anybody got a
> log that looks the same or similar? TIA
>
> Philipp
>
>
>
>
>
>
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8 -- QDPGP 2.61c
Comment: http://community.wow.net/grt/qdpgp.html
iQA/AwUBO3JfmdPw+MyrmYQvEQKDMQCdHRlOrGCosnYF5uAh5V00CAf146MAoJGX
aZFrY/2tkF/BriMmeM8CMmgS
=sBcn
-----END PGP SIGNATURE-----
############################################################################
Geological Survey of Austria # A.JILKA # This Space
Rasumofskyg. 23 # jilalf@xxxxxxxxxxxxxxx # for rent
A-1031 Vienna # Fon: +43/(0)1/712-56-74/444 #
Europe # Fax: +43/(0)1/713-64-57/444 # :-)
################ Visit us at http://www.geolba.ac.at #######################
Hash: SHA1
Same here. Our firewall logs similiar lines. And I'm pretty sure it
is CodeRed as our Apache log _lots_ of tries to "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a HTTP/1.0"
Regards, Alfred
Am 9 Aug 2001, um 8:37 hat Philipp Snizek geschrieben:
> Dear list users,
>
> since several days we have a lot of log entries originating from
> various IP addresses looking like this:
>
> 08/08/2001 00:09:34.464 - TCP connection dropped -
> Source:195.219.121.17, 1429, WAN - Destination: our ip address, 80,
> LAN - 'Web (HTTP)' - Rule 0 08/08/2001 00:11:53.928 - TCP
> connection dropped - Source:195.55.190.134, 3585, WAN - Destination:
> our ip address, 80, LAN - 'Web (HTTP)' - Rule 0 08/08/2001
> 00:17:43.384 - TCP connection dropped - Source:195.144.38.219, 2950,
> WAN - Destination: our ip address, 80, LAN - 'Web (HTTP)' - Rule 0
> 08/08/2001 00:26:19.432 - TCP connection dropped -
> Source:195.58.181.178, 3026, WAN - Destination: our ip address, 80,
> LAN - 'Web (HTTP)' - Rule 0
>
>
> 3 of these 4 IP addresses run IIS Webserver. One seems to be down.
> Since this is a firewall log and I have no other logfiles it is hard
> to me to determine whether this could be Code Red. Has anybody got a
> log that looks the same or similar? TIA
>
> Philipp
>
>
>
>
>
>
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>
>
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8 -- QDPGP 2.61c
Comment: http://community.wow.net/grt/qdpgp.html
iQA/AwUBO3JfmdPw+MyrmYQvEQKDMQCdHRlOrGCosnYF5uAh5V00CAf146MAoJGX
aZFrY/2tkF/BriMmeM8CMmgS
=sBcn
-----END PGP SIGNATURE-----
############################################################################
Geological Survey of Austria # A.JILKA # This Space
Rasumofskyg. 23 # jilalf@xxxxxxxxxxxxxxx # for rent
A-1031 Vienna # Fon: +43/(0)1/712-56-74/444 #
Europe # Fax: +43/(0)1/713-64-57/444 # :-)
################ Visit us at http://www.geolba.ac.at #######################
| < Previous | Next > |