[KLUG Members] weird web stuff

Wesley Leonard members@kalamazoolinux.org
Thu, 19 Jul 2001 13:54:36 -0400

Previous message: [KLUG Members] weird web stuff
Next message: [KLUG Members] weird web stuff
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks!  I immediately composed an email to admin, abuse, root @ all the systems
from where it came.

Luckily I'm running Apache!  :)

-- 

Wesley Leonard
marshall@pacdemon.org

http://www.pacdemon.org
"The economy depends about as much on economists as the weather does on weather
forecasters." 
    --Jean-Paul Kauffmann



Richard Zimmerman wrote:
> 
> They (read somebody) are trying to hack you with the .ida worm.....
> 
> It's aimed at IIS servers on NT4+. It loads on the server then create 100
> instances of itself. The first 99 go searching for more victims, the 100th
> defaces the webpage.
> 
> >From what I have read, it ONLY affects IIS / NT systems. This thing hit 5400
> systems in one day and the last numbers I can remember show over 100,000
> systems affected in a week!
> 
> I just had to call one of my customers as they just got hacked by it also!
> 
> Richard
> 
> Richard Zimmerman                                     Richard@knbpower.com
> Information Systems Manager                      ke4rit@earthlink.net
> K&B Transport, Inc.
> Elkhart, Indiana                     Advanced SKYWARN weather spotter
> 
> Look Listen and Live!
> Support Operation Lifesaver
> www.oli.org
> 
> ----- Original Message -----
> From: "Wesley Leonard" <marshall@pacdemon.org>
> To: "Klug Mailing List" <members@kalamazoolinux.org>
> Sent: Thursday, July 19, 2001 12:16 PM
> Subject: [KLUG Members] weird web stuff
> 
> > Today I got found odd web requests on my home server (on DSL).  They were
> all
> > from different IP addresses and they looked like this:
> >
> > [19/Jul/2001:12:41:41 -0400] "GET
> >
> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> NNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9
> 090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> > HTTP/1.0" 400 335
> >
> >
> > In the error logs it says these four clients generated a mailformed Host
> header.
> >
> > Anybody seen this before?  Should I start getting worried?  They were all
> within
> > a half an hour and were VERY different IP address (24., 212., 4., 131.).
> >
> > l8er
> > --
> >
> > Wesley Leonard
> > marshall@pacdemon.org
> >
> > http://www.pacdemon.org
> > "The economy depends about as much on economists as the weather does on
> weather
> > forecasters."
> >     --Jean-Paul Kauffmann
> > _______________________________________________
> > Members mailing list
> > Members@kalamazoolinux.org
> > 
> >
> >
> 
> _______________________________________________
> Members mailing list
> Members@kalamazoolinux.org
>

Previous message: [KLUG Members] weird web stuff
Next message: [KLUG Members] weird web stuff
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]