RE: [suse-security] does anybody know such a log
On Friday 11 October 2002 13:28, mailinglists@belfin.ch wrote:
Who's sleeping here? This isn't neither nimda nor code red. This is a scan. it came from a dial up account. Nimda and Code red never came from dial up accounts. They always came from static IP addresses.
Why nimda or code red _must_ come from static ip addresses? Think of IIS installed on WinPCs which are 24/7 up and accessible via DynDNS names. Such systems are vulnerable too...
We have do differentate between dhcp assigned ip addresses to always online internet links and old fashioned dial up accounts. The source of our scan looks very much like a dial up account: dig -x ip.address: 90.99.11.217.in-addr.arpa. 86383 IN PTR dialup-90.iberbanda.es. I've seen a lot of logs dealing with nimda and code red a year ago. But I never saw this coming from a dial up link. Philipp
[Snip]
dig -x ip.address:
90.99.11.217.in-addr.arpa. 86383 IN PTR dialup-90.iberbanda.es.
I've seen a lot of logs dealing with nimda and code red a year ago. But I never saw this coming from a dial up link.
Philipp
I have a 24/7 DSL-linked Linuxserver and I have this Code-Red requests all the time mostly from other DSL-Dial-In Computers in similar Ip-Ranges (like my Server). Code Red does not differ between Static or dynamic Ips as long as it can infect them.. and there are plenty poorly adiminstrated Windoze Boxes out there. So: it's a code red - guess how long these systems must be unpatched.. Greets Jan -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!
[Snip]
dig -x ip.address:
90.99.11.217.in-addr.arpa. 86383 IN PTR
dialup-90.iberbanda.es.
I've seen a lot of logs dealing with nimda and code red a year ago.
But I
never saw this coming from a dial up link.
I saw several attempts from dsl and dial up.
I have a 24/7 DSL-linked Linuxserver and I have this Code-Red requests all the time mostly from other DSL-Dial-In Computers in similar Ip-Ranges (like my Server).
Anyway it does not affect any linux-box! Any responsible admin will not tolerate those insecure iis and use apache (even with or without asp)!
Code Red does not differ between Static or dynamic Ips as long as it can infect them.. and there are plenty poorly adiminstrated Windoze Boxes out there.
Like said before in some mails it must not be code red or nimda, maybe an attempt to get system-access to iis or script kiddies. I got the same with apache, sometimes there were attempts to access linux-binaries without success because of my config. For that purpose use different folders e.g. /usr/local/httpd/apache instead of /usr/local/httpd or /var/www [...]. I would be more concerned about latest vulnerabilities of apache.
So: it's a code red - guess how long these systems must be unpatched.
It's only poor to see how badly the knowledge of those m$ users is! :-( Maybe not, code red seems for me to look different. Even if it is Code Red - you should be running apache and why then be concerned about this attempts, that do not effect your server (I think you are running apache, don't you?)? If you got iis make some acl's in your reverse proxy will help filter all nasty requests and don't effect your system(s)! Philippe
participants (3)
-
Jammer@gmx.de
-
mailinglists@belfin.ch
-
Philippe Vogel