Web Hosting Talk






PDA

View Full Version : Online 4 hours - already scanned!

thewitt
11-24-2001, 12:24 AM
So, my IP address on my new virtual server has been active for all of 4 hours, and already I've been scanned for one of the IIS vulnerabilities!

140.131.111.156 - - [23/Nov/2001:21:52:33 -0500] "GET /scripts/root.exe?/c+dir 2
140.131.111.156 - - [23/Nov/2001:21:52:37 -0500] "GET /MSADC/root.exe?/c+dir HT0
140.131.111.156 - - [23/Nov/2001:21:52:40 -0500] "GET /c/winnt/system32/cmd.exe0
140.131.111.156 - - [23/Nov/2001:21:52:41 -0500] "GET /d/winnt/system32/cmd.exe0
140.131.111.156 - - [23/Nov/2001:21:52:41 -0500] "GET /scripts/..%255c../winnt/4
140.131.111.156 - - [23/Nov/2001:21:52:45 -0500] "GET /_vti_bin/..%255c../..%251
140.131.111.156 - - [23/Nov/2001:21:52:45 -0500] "GET /_mem_bin/..%255c../..%251
140.131.111.156 - - [23/Nov/2001:21:52:49 -0500] "GET /msadc/..%255c../..%255c.7

Unbelievable!

-t
alchiba
11-24-2001, 12:45 AM
Face it, you're popular! :)
Lawrence
11-24-2001, 01:21 AM
My PC gets scanned all the time - whenever I'm working on some scripts with Apache running. Scared me a few times, but now it just happens so much that I've grown used to it.

But yeah, they're certainly quick to get a hold of anything new. It usually takes 20 minutes to an hour for them to find me.
dbzgod
11-24-2001, 02:08 AM
wow that quick??
slade
11-24-2001, 02:51 PM
You have to remember though, most, if not all of these scans are automated.

The particular hit you are referring to is based on a random IP address range the virus chose when it started its attacks.
thewitt
11-24-2001, 03:45 PM
Originally posted by slade
You have to remember though, most, if not all of these scans are automated.

The particular hit you are referring to is based on a random IP address range the virus chose when it started its attacks.
Yeah, I know. It just seemed like an interesting lesson in webhost security. If I were bringing up an IIS server - which I would never do! - it could be compromised long before anyone officially knew about the server. I don't think people realize this kind of attack attempt is so widespread and every server is hit - even those online for only a couple hours!

-t
akashik
11-25-2001, 02:05 AM
The first time I saw a port sentry log I almost crawled out of my skin. Now it's just an annoyingly long e-mail I delete after a quick look through... :)

Greg Moore