* Peer Stefan
Hi again :) [big snip] This looks pretty much like Nimda, as long as no IIS is running (apparently never on a linux box :-) it's just filling up logs. Have a look at http://www.opennet.ru/tips/sml/41.shtml how to block Nimda-requests with iptables. Or use Apache configuration directives to exclude Nimda-requests from your log (http://paulbeard.no-ip.org/movabletype/archives/000054.html).
I will research these locations later today, have pressing matters for the next 4 hrs.
You can always try the next two commands. iptables -I INPUT -s 24.208.133.143 -j DROP iptables -I OUTPUT -d 24.208.133.143 -j DROP (Don't start the firewall services after entering the two commands.)
iptables -L | grep 24.208.133.143:
DROP all -- dhcp024-208-133-143.insight.rr.com anywhere DROP all -- dhcp024-208-133-143.insight.rr.com anywhere DROP all -- anywhere dhcp024-208-133-143.insight.rr.com
Is there a chance that before these DROPs there's something like "ALLOW http ..." ?
No, the three instances quoted above *all* come before *any* references to http or port 80. I do not understand firewall rules well enough. I would think that the *three* 'DROP' rules in the first 50 lines of the report would stop a tank, but ???
According to the symptoms I don't think of rootkits anymore. I think that http traffic is allowed, no matter what the source address is and your DROPs just come too late in the iptables order. (And I don't think that this user is an evil one who has many computer skills, apart from being a magnet for worms, viruses and trojan horses ;o)
No, I agree. I do not believe he is *skilled* ??computer wise?? at all. I have had my web-site up since just before New Years and it is only advertised in my sig so it is probably someone who has read one of the mail lists I have responded and stored my address. He first hit me 11 Mar and to date I have logged 1333 access attempts in httpd/access_log. I am also amazed that RoadRunner is not more interested/concerned due to the added bandwidth considerations and imminent danger of multiplication thereof. Of 22,000 lines in httpd/access_log, ~13,500 are *probably* virus access attempts. That is appalling. This traffic approaches or exceeds the weight of spam traffic. -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience