Mailinglist Archive: opensuse-security (487 mails)

< Previous Next >
Re: [suse-security] does anybody know such a log
  • From: "Philippe Vogel" <filiaap@xxxxxxxxxx>
  • Date: Fri, 11 Oct 2002 15:14:12 +0200
  • Message-id: <000f01c27128$177e0300$52ef5b86@xxxxxxxxxxxxxxxxxx>
> [Snip]
> >
> > dig -x ip.address:
> >
> > 90.99.11.217.in-addr.arpa. 86383 IN PTR
dialup-90.iberbanda.es.
> >
> > I've seen a lot of logs dealing with nimda and code red a year ago.
But I
> > never saw this coming from a dial up link.

I saw several attempts from dsl and dial up.

> I have a 24/7 DSL-linked Linuxserver and I have this Code-Red requests
all
> the time mostly from other DSL-Dial-In Computers in similar Ip-Ranges
(like my
> Server).

Anyway it does not affect any linux-box!
Any responsible admin will not tolerate those insecure iis and use
apache (even with or without asp)!

> Code Red does not differ between Static or dynamic Ips as long as it
can
> infect them.. and there are plenty poorly adiminstrated Windoze Boxes
out there.

Like said before in some mails it must not be code red or nimda, maybe
an attempt to get system-access to iis or script kiddies.
I got the same with apache, sometimes there were attempts to access
linux-binaries without success because of my config.
For that purpose use different folders e.g. /usr/local/httpd/apache
instead of /usr/local/httpd or /var/www [...].
I would be more concerned about latest vulnerabilities of apache.

> So: it's a code red - guess how long these systems must be unpatched.

It's only poor to see how badly the knowledge of those m$ users is! :-(
Maybe not, code red seems for me to look different.
Even if it is Code Red - you should be running apache and why then be
concerned about this attempts, that do not effect your server (I think
you are running apache, don't you?)?
If you got iis make some acl's in your reverse proxy will help filter
all nasty requests and don't effect your system(s)!

Philippe




< Previous Next >
References