Brent Clark wrote:
Hi listIts days like this I get so excited and I know that Im going to learn something more about security.This morning in my apache logs I saw this.61.185.21.74 - - [02/Jun/2005:16:58:31 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 403 286 "-" "-" "-"My google shows its an IIS exploit. (http://www.thesitewizard.com/news/coderediiworm.shtml) I like the part that says:If your website is on a (say) Unix or Linux system, running the Apache web server, your server is probably safe, since the worm actually exploits vulnerabilities in the IIS server that are not present in Apache. However, don't relax just yet.Anyway I dont run IIS But just in case of security and future tips / advice for using iptables. If anyone has anything to share, it would be most appreciated. Kind Regards Brent Clark
I get this alot, and I suspect many other's do. I assume it's just random bots selecting sites from various places (google?) and trying their luck.
A couple of times I have successfully emailed the abuse email for the subnet the IP is part of and they have been able to fix the box(es) at problem.
Most of the time thought I just add the IP to a blacklist for around a week and see how it goes after then.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature