You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ven <ve...@yahoo.com> on 2002/09/03 16:24:51 UTC
[users@httpd] Disturbing: speed of Probing by IIS webservers (nimda?)
hi all,
After last week's fight with my webserver and finally getting it good to go due
to simple upgrade of my router firmware (bangs head against wall), I am finding
some disturbing trends in the accesslog.
Every time I start the server, I get those hits of the type of "GET ....
cmd.exe" - which, after a bit of searching the web, I understood to be
nimda/code red infected IIS webservers.
That doesn't really bother me since everyone says apache is unaffected. What
DOES bother me is how it found me: no one knows I have a webserver. Thus far it
is a personal webserver for no other use than to learn. So you couldn't just
"happen" to come across the website since nothing really knows or links to it.
So how is this IIS webserver or whatever it is getting to know that my http
port is open? because within 2-15 minutes of starting the webserver, I get hits
for a cmd.exe from one of these infected servers.
How in the world did it know I was online??
Is it because I already have something (virus?) that is breaching the security
and letting this server know of my ip-address whereabouts?
I have zonealarm on the windows side and my router will not respond to any WAN
requests (pings etc don't get a response).
Whatever it is that tries to get at the cmd.exe on my computer is pretty
impressive if the response time is that quick on a "blind" probing.
Any ideas/thoughts?
Ven
__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Disturbing: speed of Probing by IIS webservers (nimda?)
Posted by Jacob Coby <jc...@listingbook.com>.
> Any ideas/thoughts?
Are you on a cable modem? IIRC, nimbda and variants 'know' about blocks of
IP addresses where they are likely to find a host. Cable IPs I would think
are a fine canidate.
I wouldn't worry about it, my personal webserver gets the same things, and
more often than the servers here at work.
If it's a large corporation's server attacking me, repeatidly, I'll send an
email to the register's email address telling them to knock it off. I had
two servers from a major tobacco company attack the servers every hour or so
for about a week. I got real tired of that :)
-Jacob
http://www.listingbook.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Size of Apache in memory
Posted by Duncan Brannen <db...@st-andrews.ac.uk>.
At 11:17 03/09/2002 -0400, you wrote:
> > Is this normal? It seems a huge jump from the 7M of the standard
> > install. If not - any thoughts on
> > what I may have done or what I can do to reduce the size. The Netra it's
> > running on has
> > been upgraded to have 1G of RAM but it's going to be hit heavily again at
> > the start of term & I'd
> > like it not to go splat.
>
>have you checked out MaxRequestsPerChild?
Cheers,
Yes, I have this at 0 on the main server & it seems to behave
but It's set at 10000 on this one & the memory usage is from startup.
It's doing some database queries but they should be fairly simple.
Dunk
># MaxRequestsPerChild: the number of requests each child process is
># allowed to process before the child dies. The child will exit so
># as to avoid problems after prolonged use when Apache (and maybe the
># libraries it uses) leak memory or other resources. On most systems, this
># isn't really needed, but a few (such as Solaris) do have notable leaks
># in the libraries. For these platforms, set to something like 10000
># or so; a setting of 0 means unlimited.
>
>73mb per process seems absurd, unless you are doing huge db queries that
>require several results to be stored in memory at one time.
>
>-Jacob
>http://www.listingbook.com
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
These opinions are mine, not those of the University of St. Andrews
The University's opinion is that I should be getting on with my work.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Size of Apache in memory
Posted by Jacob Coby <jc...@listingbook.com>.
> Is this normal? It seems a huge jump from the 7M of the standard
> install. If not - any thoughts on
> what I may have done or what I can do to reduce the size. The Netra it's
> running on has
> been upgraded to have 1G of RAM but it's going to be hit heavily again at
> the start of term & I'd
> like it not to go splat.
have you checked out MaxRequestsPerChild?
# MaxRequestsPerChild: the number of requests each child process is
# allowed to process before the child dies. The child will exit so
# as to avoid problems after prolonged use when Apache (and maybe the
# libraries it uses) leak memory or other resources. On most systems, this
# isn't really needed, but a few (such as Solaris) do have notable leaks
# in the libraries. For these platforms, set to something like 10000
# or so; a setting of 0 means unlimited.
73mb per process seems absurd, unless you are doing huge db queries that
require several results to be stored in memory at one time.
-Jacob
http://www.listingbook.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Size of Apache in memory
Posted by Duncan Brannen <db...@st-andrews.ac.uk>.
Hi All,
Anybody out there running Apache 1.3.26 on Solaris 8 with
SSL? We've got a few
servers around campus and one of them died recently while spouting cannot
fork process
messages. It looks like it ran out of memory & running top or ps show's
apache with SSL
fast cgi, mod_python and auth_ldap using 73M of ram per server process, our
main web
server with just auth_ldap is using 7M and a 3rd server running apache,
auth_ldap and SSL
using 34M
Looks like there's been a mention of this recently but..
Is this normal? It seems a huge jump from the 7M of the standard
install. If not - any thoughts on
what I may have done or what I can do to reduce the size. The Netra it's
running on has
been upgraded to have 1G of RAM but it's going to be hit heavily again at
the start of term & I'd
like it not to go splat.
Cheers,
Duncan
These opinions are mine, not those of the University of St. Andrews
The University's opinion is that I should be getting on with my work.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Disturbing: speed of Probing by IIS webservers (nimda?)
Posted by Jacob Coby <jc...@listingbook.com>.
ln -s /dev/random cmd.exe
also known as "how to totally fill your upload bandwith"
Maybe, if you're lucky, it will cause a buffer overrun and crash the
offending server. ;)
----- Original Message -----
From: "Ven" <ve...@yahoo.com>
To: <us...@httpd.apache.org>
Sent: Tuesday, September 03, 2002 12:50 PM
Subject: Re: [users@httpd] Disturbing: speed of Probing by IIS webservers
(nimda?)
> Thanks guys, that does put the issue in new light. I can see how these
things
> can be so fast (buggers!). I am on a dsl line. maybe I am going to create
a
> file called cmd.exe - which is just a 10GB file with utter crap in
it..naah..
>
>
> --- "J. Greenlees" <ja...@shaw.ca> wrote:
> > yup, they are nimba / code red attacks, but don't get too complacent
> > with apache, there have been 7 virus attacks on *nix systems this year,
> > seems that someone is ow trying to hack past the *nix security, so these
> > will be able to get past most software security, possibly including
apache.
> > just a heads up, may want to start looking at av ware for *nix systems
also.
> >
> > John Elkins wrote:
> >
> > >Even if you're not on a cable modem -- say a dialup that's permanently
> > >connected, the virus can find you. Consider this:
> > >
> > >The virus spreads so there are thousands of infected machines out there
> > >looking to infect new machines.
> > >A given ISP probably has a block of addresses. Once a machine is
infected,
> > >it knows its own address and it can go searching for more vulnerable
servers
> > >in the same block of addresses.
> > >It's very easy to write a program to scan IP addresses looking for a
port
> > >80.
> > >
> > >This happened to me on a personal web server that shouldn't be known
> > >anywhere else, but my "public" web server is in the same block of
addresses.
> > >
> > >j
> > >
> > >John Elkins
> > >Web and Database Technologies. Storage Systems
> > >Vermont Database Corporation
> > >400 Upper Hollow Hill Road
> > >Stowe VT 05672-4510 USA
> > >802-249-0914; 775-822-2568 (FAX); 802-253-4146 (residence)
> > >john@vermontdatabase.com <ma...@vermontdatabase.com>
> > >www.vermontdatabase.com <http://www.vermontdatabase.com>
> > >
> > >
> > >
> > >
> > >>-----Original Message-----
> > >>From: Ven [mailto:venkman69@yahoo.com]
> > >>Sent: Tuesday, September 03, 2002 10:25 AM
> > >>To: users@httpd.apache.org
> > >>Subject: [users@httpd] Disturbing: speed of Probing by IIS webservers
> > >>(nimda?)
> > >>
> > >>
> > >>hi all,
> > >>
> > >>After last week's fight with my webserver and finally getting it
> > >>good to go due
> > >>to simple upgrade of my router firmware (bangs head against
> > >>wall), I am finding
> > >>some disturbing trends in the accesslog.
> > >>
> > >>Every time I start the server, I get those hits of the type of "GET
....
> > >>cmd.exe" - which, after a bit of searching the web, I understood to be
> > >>nimda/code red infected IIS webservers.
> > >>
> > >>That doesn't really bother me since everyone says apache is
> > >>unaffected. What
> > >>DOES bother me is how it found me: no one knows I have a
> > >>webserver. Thus far it
> > >>is a personal webserver for no other use than to learn. So you
> > >>couldn't just
> > >>"happen" to come across the website since nothing really knows or
> > >>links to it.
> > >>So how is this IIS webserver or whatever it is getting to know
> > >>that my http
> > >>port is open? because within 2-15 minutes of starting the
> > >>webserver, I get hits
> > >>for a cmd.exe from one of these infected servers.
> > >>How in the world did it know I was online??
> > >>Is it because I already have something (virus?) that is breaching
> > >>the security
> > >>and letting this server know of my ip-address whereabouts?
> > >>I have zonealarm on the windows side and my router will not
> > >>respond to any WAN
> > >>requests (pings etc don't get a response).
> > >>Whatever it is that tries to get at the cmd.exe on my computer is
pretty
> > >>impressive if the response time is that quick on a "blind" probing.
> > >>
> > >>Any ideas/thoughts?
> > >>
> > >>Ven
> > >>
> > >>__________________________________________________
> > >>Do You Yahoo!?
> > >>Yahoo! Finance - Get real-time stock quotes
> > >>http://finance.yahoo.com
> > >>
> > >>---------------------------------------------------------------------
> > >>The official User-To-User support forum of the Apache HTTP Server
Project.
> > >>See <URL:http://httpd.apache.org/userslist.html> for more info.
> > >>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > >> " from the digest: users-digest-unsubscribe@httpd.apache.org
> > >>For additional commands, e-mail: users-help@httpd.apache.org
> > >>
> > >
> > >
> > >---------------------------------------------------------------------
> > >The official User-To-User support forum of the Apache HTTP Server
Project.
> > >See <URL:http://httpd.apache.org/userslist.html> for more info.
> > >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > >For additional commands, e-mail: users-help@httpd.apache.org
> > >
> > >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Finance - Get real-time stock quotes
> http://finance.yahoo.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Disturbing: speed of Probing by IIS webservers (nimda?)
Posted by Ven <ve...@yahoo.com>.
Thanks guys, that does put the issue in new light. I can see how these things
can be so fast (buggers!). I am on a dsl line. maybe I am going to create a
file called cmd.exe - which is just a 10GB file with utter crap in it..naah..
--- "J. Greenlees" <ja...@shaw.ca> wrote:
> yup, they are nimba / code red attacks, but don't get too complacent
> with apache, there have been 7 virus attacks on *nix systems this year,
> seems that someone is ow trying to hack past the *nix security, so these
> will be able to get past most software security, possibly including apache.
> just a heads up, may want to start looking at av ware for *nix systems also.
>
> John Elkins wrote:
>
> >Even if you're not on a cable modem -- say a dialup that's permanently
> >connected, the virus can find you. Consider this:
> >
> >The virus spreads so there are thousands of infected machines out there
> >looking to infect new machines.
> >A given ISP probably has a block of addresses. Once a machine is infected,
> >it knows its own address and it can go searching for more vulnerable servers
> >in the same block of addresses.
> >It's very easy to write a program to scan IP addresses looking for a port
> >80.
> >
> >This happened to me on a personal web server that shouldn't be known
> >anywhere else, but my "public" web server is in the same block of addresses.
> >
> >j
> >
> >John Elkins
> >Web and Database Technologies. Storage Systems
> >Vermont Database Corporation
> >400 Upper Hollow Hill Road
> >Stowe VT 05672-4510 USA
> >802-249-0914; 775-822-2568 (FAX); 802-253-4146 (residence)
> >john@vermontdatabase.com <ma...@vermontdatabase.com>
> >www.vermontdatabase.com <http://www.vermontdatabase.com>
> >
> >
> >
> >
> >>-----Original Message-----
> >>From: Ven [mailto:venkman69@yahoo.com]
> >>Sent: Tuesday, September 03, 2002 10:25 AM
> >>To: users@httpd.apache.org
> >>Subject: [users@httpd] Disturbing: speed of Probing by IIS webservers
> >>(nimda?)
> >>
> >>
> >>hi all,
> >>
> >>After last week's fight with my webserver and finally getting it
> >>good to go due
> >>to simple upgrade of my router firmware (bangs head against
> >>wall), I am finding
> >>some disturbing trends in the accesslog.
> >>
> >>Every time I start the server, I get those hits of the type of "GET ....
> >>cmd.exe" - which, after a bit of searching the web, I understood to be
> >>nimda/code red infected IIS webservers.
> >>
> >>That doesn't really bother me since everyone says apache is
> >>unaffected. What
> >>DOES bother me is how it found me: no one knows I have a
> >>webserver. Thus far it
> >>is a personal webserver for no other use than to learn. So you
> >>couldn't just
> >>"happen" to come across the website since nothing really knows or
> >>links to it.
> >>So how is this IIS webserver or whatever it is getting to know
> >>that my http
> >>port is open? because within 2-15 minutes of starting the
> >>webserver, I get hits
> >>for a cmd.exe from one of these infected servers.
> >>How in the world did it know I was online??
> >>Is it because I already have something (virus?) that is breaching
> >>the security
> >>and letting this server know of my ip-address whereabouts?
> >>I have zonealarm on the windows side and my router will not
> >>respond to any WAN
> >>requests (pings etc don't get a response).
> >>Whatever it is that tries to get at the cmd.exe on my computer is pretty
> >>impressive if the response time is that quick on a "blind" probing.
> >>
> >>Any ideas/thoughts?
> >>
> >>Ven
> >>
> >>__________________________________________________
> >>Do You Yahoo!?
> >>Yahoo! Finance - Get real-time stock quotes
> >>http://finance.yahoo.com
> >>
> >>---------------------------------------------------------------------
> >>The official User-To-User support forum of the Apache HTTP Server Project.
> >>See <URL:http://httpd.apache.org/userslist.html> for more info.
> >>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> " from the digest: users-digest-unsubscribe@httpd.apache.org
> >>For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >
> >
> >---------------------------------------------------------------------
> >The official User-To-User support forum of the Apache HTTP Server Project.
> >See <URL:http://httpd.apache.org/userslist.html> for more info.
> >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> >For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Disturbing: speed of Probing by IIS webservers
(nimda?)
Posted by "J. Greenlees" <ja...@shaw.ca>.
yup, they are nimba / code red attacks, but don't get too complacent
with apache, there have been 7 virus attacks on *nix systems this year,
seems that someone is ow trying to hack past the *nix security, so these
will be able to get past most software security, possibly including apache.
just a heads up, may want to start looking at av ware for *nix systems also.
John Elkins wrote:
>Even if you're not on a cable modem -- say a dialup that's permanently
>connected, the virus can find you. Consider this:
>
>The virus spreads so there are thousands of infected machines out there
>looking to infect new machines.
>A given ISP probably has a block of addresses. Once a machine is infected,
>it knows its own address and it can go searching for more vulnerable servers
>in the same block of addresses.
>It's very easy to write a program to scan IP addresses looking for a port
>80.
>
>This happened to me on a personal web server that shouldn't be known
>anywhere else, but my "public" web server is in the same block of addresses.
>
>j
>
>John Elkins
>Web and Database Technologies. Storage Systems
>Vermont Database Corporation
>400 Upper Hollow Hill Road
>Stowe VT 05672-4510 USA
>802-249-0914; 775-822-2568 (FAX); 802-253-4146 (residence)
>john@vermontdatabase.com <ma...@vermontdatabase.com>
>www.vermontdatabase.com <http://www.vermontdatabase.com>
>
>
>
>
>>-----Original Message-----
>>From: Ven [mailto:venkman69@yahoo.com]
>>Sent: Tuesday, September 03, 2002 10:25 AM
>>To: users@httpd.apache.org
>>Subject: [users@httpd] Disturbing: speed of Probing by IIS webservers
>>(nimda?)
>>
>>
>>hi all,
>>
>>After last week's fight with my webserver and finally getting it
>>good to go due
>>to simple upgrade of my router firmware (bangs head against
>>wall), I am finding
>>some disturbing trends in the accesslog.
>>
>>Every time I start the server, I get those hits of the type of "GET ....
>>cmd.exe" - which, after a bit of searching the web, I understood to be
>>nimda/code red infected IIS webservers.
>>
>>That doesn't really bother me since everyone says apache is
>>unaffected. What
>>DOES bother me is how it found me: no one knows I have a
>>webserver. Thus far it
>>is a personal webserver for no other use than to learn. So you
>>couldn't just
>>"happen" to come across the website since nothing really knows or
>>links to it.
>>So how is this IIS webserver or whatever it is getting to know
>>that my http
>>port is open? because within 2-15 minutes of starting the
>>webserver, I get hits
>>for a cmd.exe from one of these infected servers.
>>How in the world did it know I was online??
>>Is it because I already have something (virus?) that is breaching
>>the security
>>and letting this server know of my ip-address whereabouts?
>>I have zonealarm on the windows side and my router will not
>>respond to any WAN
>>requests (pings etc don't get a response).
>>Whatever it is that tries to get at the cmd.exe on my computer is pretty
>>impressive if the response time is that quick on a "blind" probing.
>>
>>Any ideas/thoughts?
>>
>>Ven
>>
>>__________________________________________________
>>Do You Yahoo!?
>>Yahoo! Finance - Get real-time stock quotes
>>http://finance.yahoo.com
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Disturbing: speed of Probing by IIS webservers (nimda?)
Posted by John Elkins <jo...@vermontdatabase.com>.
Even if you're not on a cable modem -- say a dialup that's permanently
connected, the virus can find you. Consider this:
The virus spreads so there are thousands of infected machines out there
looking to infect new machines.
A given ISP probably has a block of addresses. Once a machine is infected,
it knows its own address and it can go searching for more vulnerable servers
in the same block of addresses.
It's very easy to write a program to scan IP addresses looking for a port
80.
This happened to me on a personal web server that shouldn't be known
anywhere else, but my "public" web server is in the same block of addresses.
j
John Elkins
Web and Database Technologies. Storage Systems
Vermont Database Corporation
400 Upper Hollow Hill Road
Stowe VT 05672-4510 USA
802-249-0914; 775-822-2568 (FAX); 802-253-4146 (residence)
john@vermontdatabase.com <ma...@vermontdatabase.com>
www.vermontdatabase.com <http://www.vermontdatabase.com>
> -----Original Message-----
> From: Ven [mailto:venkman69@yahoo.com]
> Sent: Tuesday, September 03, 2002 10:25 AM
> To: users@httpd.apache.org
> Subject: [users@httpd] Disturbing: speed of Probing by IIS webservers
> (nimda?)
>
>
> hi all,
>
> After last week's fight with my webserver and finally getting it
> good to go due
> to simple upgrade of my router firmware (bangs head against
> wall), I am finding
> some disturbing trends in the accesslog.
>
> Every time I start the server, I get those hits of the type of "GET ....
> cmd.exe" - which, after a bit of searching the web, I understood to be
> nimda/code red infected IIS webservers.
>
> That doesn't really bother me since everyone says apache is
> unaffected. What
> DOES bother me is how it found me: no one knows I have a
> webserver. Thus far it
> is a personal webserver for no other use than to learn. So you
> couldn't just
> "happen" to come across the website since nothing really knows or
> links to it.
> So how is this IIS webserver or whatever it is getting to know
> that my http
> port is open? because within 2-15 minutes of starting the
> webserver, I get hits
> for a cmd.exe from one of these infected servers.
> How in the world did it know I was online??
> Is it because I already have something (virus?) that is breaching
> the security
> and letting this server know of my ip-address whereabouts?
> I have zonealarm on the windows side and my router will not
> respond to any WAN
> requests (pings etc don't get a response).
> Whatever it is that tries to get at the cmd.exe on my computer is pretty
> impressive if the response time is that quick on a "blind" probing.
>
> Any ideas/thoughts?
>
> Ven
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Finance - Get real-time stock quotes
> http://finance.yahoo.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org