Complete.Org: Mailing Lists: Archives: discussion: September 2001:
[aclug-L] Re: Hacker or ?? 		Home

[aclug-L] Re: Hacker or ??

[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: <discussion@xxxxxxxxx>
Subject: [aclug-L] Re: Hacker or ??
From: "gLaNDix" <glandix@xxxxxxxxxxxxxx>
Date: Wed, 19 Sep 2001 20:58:37 -0500
Reply-to: discussion@xxxxxxxxx 
These entries are from the Code Red II virus...  Code Red looks very
similar but uses 'N' as the "filler" instead of 'X'...

gLaNDix

> -----Original Message-----
> From: discussion-bounce@xxxxxxxxx [mailto:discussion-bounce@xxxxxxxxx]
On
> Behalf Of Maverick
> Sent: Wednesday, September 19, 2001 7:28 PM
> To: discussion@xxxxxxxxx
> Subject: [aclug-L] Re: Hacker or ??
> 
> 
> Beside the stuff I found out, I look at my log, there
> is  many entries like:
> 203.79.191.129 - - [09/Aug/2001:16:34:41 +1200] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%
> u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0
> 203.79.191.129 - - [09/Aug/2001:16:34:41 +1200] "GET
> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%
> u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b0
> ....
> 
> It clogged my network so badly...anyone has any
> solution so far?
> Thanks
> 
> Mav
> 
> 
> 
> 
> 
> 
> 
> 
> --- Dale W Hodge <dwh@xxxxxxxxxxxxxxxx> wrote:
> >
> > > -----Original Message-----
> > > From: discussion-bounce@xxxxxxxxx
> > [mailto:discussion-bounce@xxxxxxxxx]On
> > > Behalf Of Maverick
> > >
> > >
> > > uh...seems the  answer is still unknown.. I think
> > > shutdown my webserver is the only solution at this
> > > point.
> > >
> > > Mav
> > > > > Is that someone try to access my
> > > > /var/www/scripts/?
> > > > > and my error.log generate something like
> > this..
> > > > > Tue Sep 18 10:52:27 2001] [error] [client
> > > > > 24.234.20.197] File does not exist: /
> > > > > var/www/c/winnt/system32/cmd.exe
> > > > > [Tue Sep 18 10:52:28 2001] [error] [client
> > > > > 24.234.20.197] File does not exist: /
> > > > > var/www/d/winnt/system32/cmd.exe
> > > > > ....
> > > > >
> > > > > anyone have any idea? or did I set something
> > > > wrong?
> > > > > or really have a hacker knocking on my door?
> >
> > It's just the latest code red variant trying to find
> > MS IIS servers.  It doesn't
> > have any effect on Linux/Apache servers other than
> > the extra traffic.  My normal
> > traffic shows around 400 hits a day, yesterday I
> > logged 5300 hits and I'm at
> > 2200 hits as of 1PM today. It's mostly a nuisance as
> > far as I'm concerned.
> >
> > --dwh
> >
> > ---
> > Dale W Hodge - dwh@xxxxxxxxxxxxxxxx
> > Secretary & Website Maintainer - info@xxxxxxxxx
> > Air Capital Linux User's Group  (ACLUG)
> > ---
> >
> > -- This is the discussion@xxxxxxxxx list.  To
> > unsubscribe,
> > visit
> >
> http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> >
> 
> 
> __________________________________________________
> Terrorist Attacks on U.S. - How can you help?
> Donate cash, emergency relief information
> http://dailynews.yahoo.com/fc/US/Emergency_Information/
> -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi

-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
[Prev in Thread] Current Thread [Next in Thread]