Re: default.ida?X

[Robert Vangel <vangelr@rfgt.net>]

[-- Attachment #1: Type: text/plain, Size: 1666 bytes --]

Brent Clark wrote:
> Hi list
> 
> Its days like this I get so excited and I know that Im going to learn 
> something more about security.
> 
> This morning in my apache logs I saw this.
> 
> 61.185.21.74 - - [02/Jun/2005:16:58:31 +0200] "GET 
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
> HTTP/1.0" 403 286 "-" "-" "-"
> 
> My google shows its an IIS exploit.
> (http://www.thesitewizard.com/news/coderediiworm.shtml)
> I like the part that says:
> If your website is on a (say) Unix or Linux system, running the Apache 
> web server, your server is probably safe, since the worm actually 
> exploits vulnerabilities in the IIS server that are not present in 
> Apache. However, don't relax just yet.
> 
> Anyway I  dont run IIS
> 
> But just in case of security and future tips / advice for using iptables.
> 
> If anyone has anything to share, it would be most appreciated.
> 
> Kind Regards
> Brent Clark
> 
> 
> 

I get this alot, and I suspect many other's do. I assume it's just 
random bots selecting sites from various places (google?) and trying 
their luck.

A couple of times I have successfully emailed the abuse email for the 
subnet the IP is part of and they have been able to fix the box(es) at 
problem.

Most of the time thought I just add the IP to a blacklist for around a 
week and see how it goes after then.

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3166 bytes --]