i get strange entrys in my erroro logs. today 7 different hosts ( different IP range) tried this url ...? whats going on ??

any idea ?

http://myIP/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucb d3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a


greets
ZYE

To be honest, I don't know a lot about this kind of stuff, but it looks like they tried to use an NT vulnerability... if you're running NT, now would be a good time to patch :stickout

Hope this helps

Sorg

no NT - thank god :D

Same thing happens to me 100 times a day. That is the code red worm. No need to worry if you don't run NT/2000.

There is also vulnerability with NT and 2000 systems like Sorgboi said; you can find more info here:

http://www.hideaway.net/newsletter/iis_ida_overflow.txt
http://www.astalavista.com/exploits/iis/buffer2.shtml

I wouldn't even bother to ready it 'cause I hate Windows :D

ok thx to you all

:beer:

greets
ZYE

Looks like about 20 attempts today.

One more reason not to host on NT :)

I didnt know what they were till I read this post but I guessed they were dodgy.

Originally posted by bert
Same thing happens to me 100 times a day. That is the code red worm. No need to worry if you don't run NT/2000.

Wow so that's what it is! I ran my logs yesterday and that showed up a good 150 times! Thought some hacker was trying to pull some sneaky s*** :)

thank goodness we're run linux!

Yeah, it is crazy and actually we traced a few IPs and they were from all kinds of places from Korea to Brazil.

Guys, those requests are from the RedWorm! If you are patched you have nothing to worry about.

Yeah, I've had some similar entries in my logfiles. MS IIS Indexing Service has files with the .ida extension. There is a flaw in the Indexing Service, unchecked buffers for url requests I think it is. So they try to produce a buffer overflow then execute a command. In my logs the command was /winnt/system32/cmd.exe, and from there they would have complete control over the machine. Fortunately, even though my host runs Winnt, they seem to know what they are doing, they turn off the IIS Indexing Service, so none of the attempts have been successful.

Of course, the better solution is, don't run WinNT at all :). There is an interesting little article on the MandrakeSoft site (their bizcases or whatever they call them), a consultant saying, all the calls for help I received today were from clients running WinNT, who were being attacked by the code red worm. The only time he gets calls from the Linux users is when their hardware fails :D

Donna
New Zealand Scenic Photos
http://donnamiller.net/

still getting these querys (more than 7 a day) - wonder how long it takes till it ends ???


Greets
:confused:

ZYE

It wont end until all infected NT servers on the internet are patched and cleaned. this could take a while because we all know people running nt servers are not real sysadmins anyway so they probably dont even know about it :)


Steve

years to come with ****ed up error logs :-(

doh

Why do you guys care so much about these errors? They mean nothing to us. Let the windows people worry about it !

Just my 2 cents. ;)

Yay! I've been wondering what was up with all those requests in my access logs.

Originally posted by Keeg
It wont end until all infected NT servers on the internet are patched and cleaned. this could take a while because we all know people running nt servers are not real sysadmins anyway so they probably dont even know about it :)


Steve

Its been kicking my door regularly for the last 4 days.

Even though were in *ix, does anyone know a good way of denying requests like these without having root access to a server?

Originally posted by bluerain
Yay! I've been wondering what was up with all those requests in my access logs.

ditto!

Originally posted by Cyberpunk


Its been kicking my door regularly for the last 4 days.

Even though were in *ix, does anyone know a good way of denying requests like these without having root access to a server?

I don't think you can deny these requests at all. Even if you had access to root just because they come from all over and with different IPs every time.