JustGags wrote:
> In my server logs I see entries such as:
>
> 64.253.39.170 - - [27/Jun/2003:15:23:37 -0400] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
> u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 404 288
^^^
# 404 HTTP_NOT_FOUND
> I believe that this is the Red Alert trojan, but being that I am not using
> IIS, and I do not have the virus on my system, this doesnt mean anything
> right? Am I safe to leave my server running all the time even w/ these
> occuring every few minutes from different IP addresses?
yes, this is Code Red trying to gt the buffer overflow bug, but as you see
HTTP error 404, it don't get anywhere.
I see nimda and code red on my system pretty often, I also noticed once an
Indy Library (or back orifice) attack...
.... but always 404 errors ;o)
> Also, I see other entries such as:
>
> 192.168.1.160 - - [14/Jun/2003:22:20:57 -0400] "OPTIONS / HTTP/1.1" 200 0
^^^ ^
# 200 HTTP_OK (but returned data was 0 - zero - nil - zilch - nada)
> 192.168.1.160 - - [14/Jun/2003:22:20:57 -0400] "PROPFIND /Documents
> HTTP/1.1" 405 312
^^^
# 405 HTTP_METHOD_NOT_ALLOWED
> "Documents" is a shared folder on my network. Is someone trying to hack into
> my network, or is my server just logging my own network activity?
192.168.1.160 is probably another computer on your network? - with windows XP?
Mine does the same. I'm not worried, since it returns HTTP error 405
> Lastly, I have this entry:
>
> 64.71.165.195 - - [15/Jun/2003:19:15:30 -0400] "CONNECT 216.179.62.106:6667
> HTTP/1.0" 405 308
^^^
# 405 HTTP_METHOD_NOT_ALLOWED
> port 6667 is an eDonkey / eMule port... Why and how would someone be
> connecting to me with eDonkey?
....to see if your server allows the CONNECT.
besides:
<a style='text-decoration: underline;' href="http://www.seifried.org/security/ports/6000/6667.html" target="_blank">http://www.seifried.org/security/ports/6000/6667.html</a>
<quote>
Port number: 6667
Common name(s): irc, ircd
Common service(s): IRC
Service description(s): Internet Relay Chat
Common server(s):
Common client(s):
Common problem(s): Many IRC servers will connect back to clients
for identd lookups or have third party systems connect to look for
open windows proxy software which can trigger IDS systems.
</quote>
--
Robi<!-- ~MESSAGE_AFTER~ -->
FAQ
Profile
Private Messages
Log in
