[CLUE-Tech] nimda and friends

Adam Bultman adamb at glaven.org
Mon Sep 9 21:30:14 MDT 2002 

I don't know about you; but my servers have seen a great increase in scans
lately. obviously, there's the MS warning about increased scanning, and
certainly I see that on my 3 IIS boxen (running blackICE, so they get
blocked), but wowza, I get a lot of scans these days, both on my lknux
boxes and IIS boxes. My firewall in my office once was completely hammered
to the point that the drive suddenly filled up with snort logs.  Yikes.

Anyone else notice all this? I stay up on patches, but it's rough doing so
when it breaks IIS.  as far as linux goes, I'm too afraid to block those
people (as sometimes, it's a misconfigured server for a client trying to
constantly connect to my web servers at port 25).  Speaking of which, do
any of you have lots of hits to port 25 these days?  I have lots of hosts
(imakenews.com being the most bothersome) trying, every 10 minutes or so,
to connect to my web servers at port 25.  I don't know why.  They've never
run sendmail as a daemon before. Blah. Cretins.



On Mon, 9 Sep 2002, Dave Price wrote:

> Well the icmp syslog errors are gone - now if I could just get a script
> to a DROP to my iptables for systems that try to do this sillyness -
>
> [Sat Aug 31 10:08:08 2002] [error] [client 63.225.171.157] File does not
> exist: /var/www/d/winnt/system32/cmd.exe
>
> ==> /var/log/apache/access.log <==
> 63.225.171.157 - - [31/Aug/2002:10:08:08 -0600] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
>
> ==> /var/log/apache/error.log <==
> [Sat Aug 31 10:08:08 2002] [error] [client 63.225.171.157] File does not
> exist: /var/www/scripts/..%5c../winnt/system32/cmd.exe
>
> ==> /var/log/apache/access.log <==
> 63.225.171.157 - - [31/Aug/2002:10:08:09 -0600] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 249
>
> like I would really run IIS, I have seen references to scripts that
> actually make the nimbda targets into legitimate cgi scripts.
>
> Has anyone ever tried to install something like that?
>
> scanning the logs - tired of getting probed.
>
> BTW if you did not know you could do this, tail can monitor several files
> at once:
>
> davep at fw:/etc/network$ cat `which tlog`
> su -c "tail -f /var/log/apache/access.log /var/log/apache/error.log
> /var/log/exim/mainlog /var/log/syslog"
>
> The output is easy to scan.
>
> aloha,
> dave
>
>
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
>

-- 
Adam Bultman
adam at glaven.org
[ http://www.glaven.org ]

More information about the clue-tech mailing list