[CLUE-Tech] annoying attempts to compromise web server
Chris Schock
black at clapthreetimes.com
Tue Oct 19 13:00:58 MDT 2004
This is clearly worm traffic, if Comcast says they are doing this then
they either don't know what they're talking about (likely, the dude
answering questions isn't making $100k as a contractor for a reason) or
they have some infections themselves if it's coming from their address
space.
Comcast doesn't need to actually attempt to exploit a box to determine if
it's running a service on a particular port. :)
And I agree, Comcast should mind their own business as long as you're
paying your bill.
The number one problem with large ISP's is that they are inflexible and
ALWAYS give common denominator answers.
> I am trying this iptables solution in cron. When I
> last paid my bill with ComCast they told me that they
> "invade" clients this way to make sure that they
> aren't "illegally" running services. IE anything but
> Internet Explorer and Outlook ... hehe
>
> Jerk offs .... who should say how I utilize the
> bandwidth I pay for .... (Ok they can deny service to
> whomever they please ... but that is bad business)
>
> -Mike
>
>
> --- Charles Oriez <coriez at oriez.org> wrote:
>
>> At 08:11 AM 10/13/2004, mike havlicek wrote:
>>
>> >Hello,
>> >
>> >A few days ago I opened up my cable/dsl router to
>> >allow a simple web page to be served by apache on
>> one
>> >of my linux boxes. Over the last 2 days or so
>> apache
>> >has been logging (in access_log) attempts from a
>> >particular IP trying to "run" things like:
>> >
>> >67.165.178.202 - - [13/Oct/2004:07:49:58 -0600]
>> "GET
>>
>>/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
>> >HTTP/1.0" 404 972 "-" "-"
>> >
>> >every 30 to 40 minutes.
>> >
>> >Any suggestions on how to deal with this sort of
>> >thing?
>> >
>> >-Mike
>>
>>
>> as root or su
>>
>> /sbin/iptables -A INPUT -s 67.165.178.202 -j DROP
>>
>>
>> remember to run an iptables save command in your
>> daily cron job
>>
>> Mine were coming from 24.162.235.170 and have not
>> shown up since I entered
>> that command.
>>
>>
>>
>> --
>> coriez at oriez.org 39 34' 34.4"N / 105 00' 06.3"W
>> "Drag God into politics, and you'll ruin his
>> reputation in no time." -
>> Molly Ivins
>>
>>
>> _______________________________________________
>> CLUE-Tech mailing list
>> Post messages to: CLUE-Tech at clue.denver.co.us
>> Unsubscribe or manage your options:
>> http://clue.denver.co.us/mailman/listinfo/clue-tech
>>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> _______________________________________________
> CLUE-Tech mailing list
> Post messages to: CLUE-Tech at clue.denver.co.us
> Unsubscribe or manage your options:
> http://clue.denver.co.us/mailman/listinfo/clue-tech
>
More information about the clue-tech
mailing list