Hi all, Everyone musta heard by now about the nice new IIS worm that, once its got the IIS server, attacks whitehouse.gov. Have a look in your apache logs and see how many times they've tried to attack you... brett@dustpuppy:/var/log/apache$ grep "default.ida" access.log | wc -l 25 and that's on a 33.6 dialup machine ;) Cheers, Brett
Brett Parker wrote:
Hi all,
Everyone musta heard by now about the nice new IIS worm that, once its got the IIS server, attacks whitehouse.gov. Have a look in your apache logs and see how many times they've tried to attack you...
brett@dustpuppy:/var/log/apache$ grep "default.ida" access.log | wc -l 25
and that's on a 33.6 dialup machine ;)
I had 22 virtual domains to check, so I knocked up a quick script. Only one has been hit, oddly enough the main one, which means they may well have come in by IP address. I checked the log, and they're sending a REALLY long url. Must be another buffer overflow thingy. 25 hits between 19/07/2001 16:40, and 20/07/2001 00:19 from lots of different IP addresses... Aren't I glad I don't run IIS! Cheers, Laurie. -- --------------------------------------------------------------------- Laurie Brown laurie@brownowl.com PGP key at http://pgpkeys.mit.edu:11371 ---------------------------------------------------------------------
On Fri, 20 Jul, 2001 at 8:44 +0100, Laurie Brown wrote:
25 hits between 19/07/2001 16:40, and 20/07/2001 00:19 from lots of different IP addresses...
Aren't I glad I don't run IIS!
33 hits across two domains. You'd think whoever wrote the exploit would have saved themselves some time and asked the remote server what it is before attacking it - given Apache servers account for over half the world. Sheesh, such low standards amongst evil crackers these days. When I was a lad.... ;-) Andrew. -- All views are my own, who else would want them?
On 20-Jul-01 Brett Parker wrote:
Hi all,
Everyone musta heard by now about the nice new IIS worm that, once its got the IIS server, attacks whitehouse.gov. Have a look in your apache logs and see how many times they've tried to attack you...
brett@dustpuppy:/var/log/apache$ grep "default.ida" access.log | wc -l 25
and that's on a 33.6 dialup machine ;)
Cheers,
Brett
cat /var/log/httpd/access_log | grep "default.ida" | wc -l 8 and thats on a 56 dialup machine Owen Date: 20-Jul-01 Time: 12:08:37
On Fri, Jul 20, 2001 at 12:09:13PM +0100, oms101@freeuk.com wrote:
brett@dustpuppy:/var/log/apache$ grep "default.ida" access.log | wc -l 25 cat /var/log/httpd/access_log | grep "default.ida" | wc -l 8
since everyone seems to be taking scores.... root@Inphinity:/usr/local/apache/logs# grep -i "default.ida" access_log | wc -l 141 Thats on one of my boxes in the US. The web server in the UK only has a small 18 :) -- James `BR` Ray - PGP Key: http://www.pethippo.co.uk/?page=pgp
James Ray wrote:
since everyone seems to be taking scores.... root@Inphinity:/usr/local/apache/logs# grep -i "default.ida" access_log | wc -l 141
Thats on one of my boxes in the US. The web server in the UK only has a small 18 :)
hhmm I have a combined total of 45 on two web servers... I can't believe we are comparing crack attempts !!! Sz -- Open Source Specialists http://www.entora.co.uk/ Tel: +44 (0)701 0723686 Fax: +44 (0)870 3214368
Neill Newman wrote:
James Ray wrote:
since everyone seems to be taking scores.... root@Inphinity:/usr/local/apache/logs# grep -i "default.ida" access_log | wc -l 141
Thats on one of my boxes in the US. The web server in the UK only has a small 18 :)
hhmm I have a combined total of 45 on two web servers... I can't believe we are comparing crack attempts !!! Sz
ArfArf! BUT... Think of the grief all those IIS machines are getting! Cheers, Laurie. -- --------------------------------------------------------------------- Laurie Brown laurie@brownowl.com PGP key at http://pgpkeys.mit.edu:11371 ---------------------------------------------------------------------
Laurie Brown wrote:
hhmm I have a combined total of 45 on two web servers... I can't believe we are comparing crack attempts !!! Sz
ArfArf! BUT... Think of the grief all those IIS machines are getting!
imagine if we combined all the IP addresses from our logs, figured out who owns those machines, then send them flyers with "fed up with your IIS servers causing you problems, try the new improved linux/apache combo whizzy fsat stable product from XYZ corp"... might be worth a laugh ;) -- Open Source Specialists http://www.entora.co.uk/ Tel: +44 (0)701 0723686 Fax: +44 (0)870 3214368
[root@gateway httpd]# grep "default.ida" access_log | wc -l 0 [root@gateway httpd]# I'm feeling left out, I don't have any *sobs* :-) Chris *************************************************************************** E Mail Chris@glovercc.clara.co.uk WWW http://www.glovercc.clara.co.uk ICQ 18054759 Someday, we'll look back on this, laugh nervously and change the subject. -Anon
-----Original Message----- From: alug-admin@stu.uea.ac.uk [mailto:alug-admin@stu.uea.ac.uk]On Behalf Of Laurie Brown Sent: 20 July 2001 13:29 To: Neill Newman Cc: James Ray; alug@stu.uea.ac.uk Subject: Re: [Alug] Watch as your apache logs grow!
Neill Newman wrote:
James Ray wrote:
since everyone seems to be taking scores.... root@Inphinity:/usr/local/apache/logs# grep -i "default.ida"
access_log | wc -l
141
Thats on one of my boxes in the US. The web server in the UK
only has a
small 18 :)
hhmm I have a combined total of 45 on two web servers... I can't believe we are comparing crack attempts !!! Sz
ArfArf! BUT... Think of the grief all those IIS machines are getting!
Cheers, Laurie. -- --------------------------------------------------------------------- Laurie Brown laurie@brownowl.com PGP key at http://pgpkeys.mit.edu:11371 ---------------------------------------------------------------------
_______________________________________________ alug, the Anglian Linux User Group list Send list replies to alug@stu.uea.ac.uk http://www.anglian.lug.org.uk/ http://rabbit.stu.uea.ac.uk/cgi-bin/listinfo/alug See the website for instructions on digest or unsub!
On Sat, Jul 21, 2001 at 10:58:26PM +0100, Chris Glover wrote:
[root@gateway httpd]# grep "default.ida" access_log | wc -l 0 [root@gateway httpd]#
I'm feeling left out, I don't have any *sobs* :-)
Chris
apparently the worm finished on the 19th, try grepping a rotated log - mine are now in access.log.0 Cheers, Brett
On 20-Jul-01 oms101@freeuk.com wrote:
On 20-Jul-01 Brett Parker wrote:
Hi all,
Everyone musta heard by now about the nice new IIS worm that, once its got the IIS server, attacks whitehouse.gov. Have a look in your apache logs and see how many times they've tried to attack you...
brett@dustpuppy:/var/log/apache$ grep "default.ida" access.log | wc -l 25
and that's on a 33.6 dialup machine ;)
Cheers,
Brett
cat /var/log/httpd/access_log | grep "default.ida" | wc -l 8
and thats on a 56 dialup machine
Owen
Thats NTL in my case thier cache1.ntli.net which to me looks as though thats the only site thats found me. Owen
participants (7)
-
Andrew Savory -
Brett Parker -
Chris Glover -
James Ray -
Laurie Brown -
Neill Newman -
oms101@freeuk.com