[CLUE-Tech] nimda and friends

Todd Williams hp205ctl at hotpop.com
Tue Sep 10 16:03:38 MDT 2002 

imakenews.com is a known spammer.
Possible reasons they are hitting your port 25:
  they are trying to hit a (non-existent) email address there with spam
  they are testing for open relays (to send spam through anonymously)

Much of the dedicated "spamware" out there ignores all errors and just tries
to push out as much as possible as fast as possible.  Sounds like you might
have a godd system to put a port 25 tarpit on.

Todd

Adam Bultman wrote:
> I don't know about you; but my servers have seen a great increase in scans
> lately. obviously, there's the MS warning about increased scanning, and
> certainly I see that on my 3 IIS boxen (running blackICE, so they get
> blocked), but wowza, I get a lot of scans these days, both on my lknux
> boxes and IIS boxes. My firewall in my office once was completely hammered
> to the point that the drive suddenly filled up with snort logs.  Yikes.
> 
> Anyone else notice all this? I stay up on patches, but it's rough doing so
> when it breaks IIS.  as far as linux goes, I'm too afraid to block those
> people (as sometimes, it's a misconfigured server for a client trying to
> constantly connect to my web servers at port 25).  Speaking of which, do
> any of you have lots of hits to port 25 these days?  I have lots of hosts
> (imakenews.com being the most bothersome) trying, every 10 minutes or so,
> to connect to my web servers at port 25.  I don't know why.  They've never
> run sendmail as a daemon before. Blah. Cretins.
> 
> 
> 
> On Mon, 9 Sep 2002, Dave Price wrote:
> 
> 
>>Well the icmp syslog errors are gone - now if I could just get a script
>>to a DROP to my iptables for systems that try to do this sillyness -
>>
>>[Sat Aug 31 10:08:08 2002] [error] [client 63.225.171.157] File does not
>>exist: /var/www/d/winnt/system32/cmd.exe
>>
>>==> /var/log/apache/access.log <==
>>63.225.171.157 - - [31/Aug/2002:10:08:08 -0600] "GET
>>/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
>>
>>==> /var/log/apache/error.log <==
>>[Sat Aug 31 10:08:08 2002] [error] [client 63.225.171.157] File does not
>>exist: /var/www/scripts/..%5c../winnt/system32/cmd.exe
>>
>>==> /var/log/apache/access.log <==
>>63.225.171.157 - - [31/Aug/2002:10:08:09 -0600] "GET
>>/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>>HTTP/1.0" 404 249
>>
>>like I would really run IIS, I have seen references to scripts that
>>actually make the nimbda targets into legitimate cgi scripts.
>>
>>Has anyone ever tried to install something like that?
>>
>>scanning the logs - tired of getting probed.
>>
>>BTW if you did not know you could do this, tail can monitor several files
>>at once:
>>
>>davep at fw:/etc/network$ cat `which tlog`
>>su -c "tail -f /var/log/apache/access.log /var/log/apache/error.log
>>/var/log/exim/mainlog /var/log/syslog"
>>
>>The output is easy to scan.
>>
>>aloha,
>>dave
>>
>>
>>_______________________________________________
>>CLUE-Tech mailing list
>>CLUE-Tech at clue.denver.co.us
>>http://clue.denver.co.us/mailman/listinfo/clue-tech
>>
> 
>

More information about the clue-tech mailing list