[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: under attack :-)



On Wed, 26 Sep 2001 solomon@barak-online.net wrote:

> For the last few days, I've had hundreds of entries like the following in
> /var/log/syslog. I'm not really worried because my firewall seems to be
> rejecting everything, but I am curious if anyone knows what this is. The SRC=
> changes, but otherwise the attack seems to be the same all the time. I tried
> traceroute, whois, and nslookup and found the attack seems to be coming from
> many locations - mostly in the US, but also from other places (like Australia).

this is not an attack, per se. it's machines infected with the nimda or
code red worms, looking to see if you're running IIS.

firewall logs are not much use if you dont bother actually *reading
them*. DPT=80 means destination port = 80. 80, i'm sure you know, is
http traffic. the nimda and code red worms both attack web servers.
quote era demonstratum.

if you want to have a little fun (fsvo fun), allow incoming traffic on
port 80 and run (you'll have to do this as root, to bind to port 80):

nc -v -l -p 80

nc is netcat - google for it.

DISCLAIMER: i am not advocating opening your firewall for amusmenet
value, unless you know what you are doing.
-- 
mulix

http://www.advogato.com/person/mulix
http://www.sf.net/projects/syscalltrack



=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il