[warning, attibutions getting shakey -- apologies if misrepresented] On Friday 28 February 2003 12:05 pm, Josh Trutwin wrote: [in response to Greg I believe, regarding Henjay's original post]
This is rather a long log file but the general question are, was the attacker able to breakin and secondly how can I better protect my computer from future hack attempts.
Don't run Windows!!!!! (and I assume your not or you would not be posting here.)
FYI: That is a standard Windows virus. Everybody sees that in their logs. Nothing you can do about it.
Nothing you can do to stop it, true, but you can write a quick perl script to remove these entries from your error log every night via cron, or you can also look into Apache::CodeRed (http://www.onlamp.com/pub/a/apache/2001/08/16/code_red.html) and Apache::Nimda
Mentioned elsewhere on this thread is a perl script to automate the reporting [and subsequent blockage] of attempts. I gather this has been "generally effective" since the number of "attempts" on my machine have dropped significantly from a few months ago [I think I've logged less than 100 attempts for all of February, compared to 2500+ for the previous 6 months -- take the "net" link from my homepage to bring up awstats and you can review the data since I fired up this server last june -- scroll to the bottom to view the "404" errors page] If the volume picks up, however, I'm somewhat tempted to create a CGI program called "cmd.exe" or "root.exe" which simply returns a gigabyte of nulls -- after all, it is a valid "GET" request, is it not? :) </sarcasm> [is code red or nimda or whichever it is "robust enough" to deal with unexpected input of this sort, or does it die a horrible enough death to point out that it was the cause of a server to fail? As you might guess, I'm kind of hoping for the latter...] OTOH, instead of "nulls", I might have it generate random filenames, since the "request" appears to be for a directory listing -- again, the argument is that this is what was requested, nevermind the fact it is being requested ofa computer that doesn't comply "as expected"... -- Yet another Blog: http://osnut.homelinux.net