 | View Full Version : Found this in my Mail server MikeM 11-11-2002, 07:21 PM 20021111 054148 210.56.13.27, , , GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%u I found this in my mailserver access log... Imail 6 Any idea what it is?? MikeM 11-11-2002, 07:24 PM mods please remove this post.. I go the answer. http://www.apacheweek.com/features/codered thanx beachtrader 11-11-2002, 10:52 PM This was my very first log entry in our newest server setup. skelley1 11-11-2002, 11:18 PM One thing to keep in mind even if you have a linux server. This codered will hit you a lot probably. Each time it hits, your server will probably return a 404 since it doesn't have a default.ida file (if you have linux). If your 404 page is custom, it could start eating into your bandwidth transfer allocation over time. To alleviate this, create a blank default.ida page and put it up on your web so when those codered servers hit you, you'll basically send nothing back. They're on autopilot and on Windows servers all over the world. MikeM 11-11-2002, 11:49 PM Ok maybe this time I have something legitimate.. As per the article above: Requests for cmd.exe in various directories. These are usually attempts to exploit various security vulnerabilities that affect Microsoft IIS servers. I am also seeing: 20021110 073626 208.45.114.210, , , GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\script.exe HTTP/1.1 This is a mail server, and does not run IIS ... Should I be concerned. Its Nt 4 svc pack 6 imail 6 neonlexx 11-12-2002, 12:34 AM There is no need to be alarmed, this is a dumb hacker trying to send GET requests to an mail server......you shouldnt be worried unless you are running IIS. GET is a command used to serve up html pages. This also appears to be an old and outdated exploit, so even if you are running IIS and its updated...no worries. yellow_belly 11-12-2002, 05:09 AM Originally posted by neonlexx There is no need to be alarmed, this is a dumb hacker trying to send GET requests to an mail server......you shouldnt be worried unless you are running IIS.I could understand if this was on port 80 but cannot understand why he is getting it on port 25 though :confused: YB beachtrader 11-12-2002, 07:45 AM It's probably just a automated script sending the code whenever it finds a computer/server. questing 11-12-2002, 02:17 PM Running IIS Lockdown and URLScan will block most of these before they ever hit your logs. http://support.microsoft.com/default.aspx?scid=kb;en-us;325864 Ann |