default.ida?X

Linux Netfilter discussions
 help / color / mirror / Atom feed

* default.ida?X
@ 2005-06-03  7:56 Brent Clark
  2005-06-03 10:30 ` default.ida?X Robert Vangel
  0 siblings, 1 reply; 2+ messages in thread
From: Brent Clark @ 2005-06-03  7:56 UTC (permalink / raw)
  To: iptables

Hi list

Its days like this I get so excited and I know that Im going to learn 
something more about security.

This morning in my apache logs I saw this.

61.185.21.74 - - [02/Jun/2005:16:58:31 +0200] "GET 
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
HTTP/1.0" 403 286 "-" "-" "-"

My google shows its an IIS exploit.
(http://www.thesitewizard.com/news/coderediiworm.shtml)
I like the part that says:
If your website is on a (say) Unix or Linux system, running the Apache 
web server, your server is probably safe, since the worm actually 
exploits vulnerabilities in the IIS server that are not present in 
Apache. However, don't relax just yet.

Anyway I  dont run IIS

But just in case of security and future tips / advice for using iptables.

If anyone has anything to share, it would be most appreciated.

Kind Regards
Brent Clark

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: default.ida?X
  2005-06-03  7:56 default.ida?X Brent Clark
@ 2005-06-03 10:30 ` Robert Vangel
  0 siblings, 0 replies; 2+ messages in thread
From: Robert Vangel @ 2005-06-03 10:30 UTC (permalink / raw)
  To: iptables

[-- Attachment #1: Type: text/plain, Size: 1666 bytes --]

Brent Clark wrote:
> Hi list
> 
> Its days like this I get so excited and I know that Im going to learn 
> something more about security.
> 
> This morning in my apache logs I saw this.
> 
> 61.185.21.74 - - [02/Jun/2005:16:58:31 +0200] "GET 
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
> HTTP/1.0" 403 286 "-" "-" "-"
> 
> My google shows its an IIS exploit.
> (http://www.thesitewizard.com/news/coderediiworm.shtml)
> I like the part that says:
> If your website is on a (say) Unix or Linux system, running the Apache 
> web server, your server is probably safe, since the worm actually 
> exploits vulnerabilities in the IIS server that are not present in 
> Apache. However, don't relax just yet.
> 
> Anyway I  dont run IIS
> 
> But just in case of security and future tips / advice for using iptables.
> 
> If anyone has anything to share, it would be most appreciated.
> 
> Kind Regards
> Brent Clark
> 
> 
> 

I get this alot, and I suspect many other's do. I assume it's just 
random bots selecting sites from various places (google?) and trying 
their luck.

A couple of times I have successfully emailed the abuse email for the 
subnet the IP is part of and they have been able to fix the box(es) at 
problem.

Most of the time thought I just add the IP to a blacklist for around a 
week and see how it goes after then.

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 3166 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2005-06-03 10:30 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-06-03  7:56 default.ida?X Brent Clark
2005-06-03 10:30 ` default.ida?X Robert Vangel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox