--- Re=E7u de VITEUR.BUNTERMA 04 72 96 57 77 08/10/02 = 14.44 I did a quick Google of /scripts/root.exe?/c+dir HTTP/1.0" 404 310 and g= ot back some mails that said it was Nimda. See http://www.counterpane.com/alert-nimda.html for more info. Rgs, Matt ------------------------------------------------------------------------= ------- Date: Tue, 8 Oct 2002 18:25:19 +0530 Subject: Re: Presentation If your log rotate is running properly you should not have to worry abou= t your disk getting filled up as the logs will be removed after some time. I guess you are running web server also on your machine or in your netw= ork. Make sure that you have installed the latest version of the server with = all the security patches fixed. Regards, Dharmendra.T Linux Security Expert www.nsecure.net dharmu@nsecure.net On Tuesday 08 October 2002 17:45, Joaquin Durand Gomez wrote: > Hello to everyone. > > This is my first post in this list and let me introduce myself. > My name is Joaquin Durand. I've installed a PC with RedHat 7.2 in orde= r > to experiment and learn a little. I have little experience with unix > systems. > > So far everything is OK with my RedHat server, I successfully installe= d > IP Masquerade following the instructions in the "Linux IP Masquerade > HOWTO" and I'm sharing my DSL with a Mac and a Windows PC. > > Since then, I'm getting constantly these in the messages log: > > Oct 7 20:59:16 Linolio kernel: IN=3Dppp0 OUT=3D MAC=3D SRC=3D64.172.1= 20.252 > DST=3D200.67.218.219 LEN=3D78 TOS=3D0x00 PREC=3D0x00 TTL=3D113 ID=3D50= 988 PROTO=3DUDP > SPT=3D1025 DPT=3D137 LEN=3D58 > Oct 7 21:03:32 Linolio kernel: IN=3Dppp0 OUT=3D MAC=3D SRC=3D61.99.13= 6.75 > DST=3D200.67.218.219 LEN=3D78 TOS=3D0x00 PREC=3D0x00 TTL=3D107 ID=3D63= 978 PROTO=3DUDP > SPT=3D1027 DPT=3D137 LEN=3D58 > Oct 7 21:04:46 Linolio kernel: IN=3Dppp0 OUT=3D MAC=3D SRC=3D210.178.= 168.234 > DST=3D200.67.218.219 LEN=3D78 TOS=3D0x00 PREC=3D0x00 TTL=3D106 ID=3D54= 964 PROTO=3DUDP > SPT=3D1026 DPT=3D137 LEN=3D58 > Oct 7 21:05:46 Linolio kernel: IN=3Dppp0 OUT=3D MAC=3D SRC=3D210.221.= 225.151 > DST=3D200.67.218.219 LEN=3D78 TOS=3D0x00 PREC=3D0x00 TTL=3D111 ID=3D63= 99 PROTO=3DUDP > SPT=3D1026 DPT=3D137 LEN=3D58 > Oct 7 21:06:05 Linolio kernel: IN=3Dppp0 OUT=3D MAC=3D SRC=3D163.180.= 21.160 > DST=3D200.67.218.219 LEN=3D78 TOS=3D0x00 PREC=3D0x00 TTL=3D106 ID=3D48= 19 PROTO=3DUDP > SPT=3D1043 DPT=3D137 LEN=3D58 > > Also I get these in Apache's access_log: > > 218.4.59.220 - - [06/Oct/2002:22:44:49 -0600] "GET > / > default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN= NN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN= NN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN= NN > NNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u= 90 > 90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u= 00 > 78%u0000%u00=3Da HTTP/1.0" 400 352 > pd9ebef87.dip.t-dialin.net - - [07/Oct/2002:00:54:18 -0600] "HEAD / > HTTP/1.0" 200 0 > ixde7561-90.pool.007mundo.com - - [07/Oct/2002:03:39:00 -0600] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 310 > ixde7561-90.pool.007mundo.com - - [07/Oct/2002:03:39:02 -0600] "GET > /MSADC/root.exe?/c+dir HTTP/1.0" 404 308 > ixde7561-90.pool.007mundo.com - - [07/Oct/2002:03:39:04 -0600] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 318 > > The origin IP changes all the time. I'm a little worried about the > security of my server. It seems that somebody is trying to get access > through the web server but using Windows commands :-D (hahaha) > But my concern is about the messages log, I don't know how to interpre= t > the log and I'm afraid that someone is trying to brake in. > > Could somebody guide me and tell me what to do in order to make sure m= y > server is secure? > Thank you very much. > > - Joaquin! > > ----------------------------------------------------------------------= -- > To unsubscribe email security-discuss-request@linuxsecurity.com > with "unsubscribe" in the subject of the message. -- ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message. ---- 08/10/02 14.44 ---- Envoy=E9 =E0 -----------------------------= ----------- -> security-discuss(a)linuxsecurity.com ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
