netbsd-help: Re: Strange logs in web-server...

Subject: Re: Strange logs in web-server...
To: Richard Rauch <rkr@olib.org>
From: =?ISO-8859-1?Q?Timo_Sch=F6ler?= <timo.schoeler@macfinity.net>
List: netbsd-help
Date: 09/25/2004 16:27:04

> Thanks.
>
> Usually it's a spammer who tries to discover an open relay, and=20
> addresses
> the mail back to himself/herself/itself as "rockstar".  I'm told that
> it ("rockstar") is a somewhat well-known spammer.
>
> If it's a worm/virus, why are multiple, physically separate,
> computers targeting my system at the *same* time?  Is that a quirky
> feature of the worm?

that could be seen when analyzing the virus'/worms' internal structure=20=

or algorithm ;)

>
>
>
>  [...]
>> after all, if you don't run a buggy version of formmail (or you don't
>> run formmail at all), you can ignore these log entries safely -- like
>> the other masses of attacks on Mickeysoft IIS ;)
>
> I don't run formmail, or any of the other scripts that they tried to
> use (enquiry.pl etc.).  My web server presently serves only static
> files.  I have been thinking about setting up PHP for some fun,
> though.

those zombies don't care about it. years ago, there was a worm (don't=20
remember it's name) trying to use an IIS exploit -- well, i worked at=20
an 'Apple only' ISP (might be exotic, but it was real :). the logs were=20=

flooded by this worm 'attacking' those machines to no avail :)

>
> But these attempted hacks spam my logs, so when I tend to blacklist
> the IP number from future access to the server.  (^&  My ipf rules
> grow ~daily (usually due to email spammers, but sometimes due to
> viruses and hackers).

i'm not sure whether this is a real good way in this topic. if you are=20=

(D)DOSed, this might be different, but i think that you more or less=20
will get 'false positives' the way you block 'em.

>
> It's not a perfect defense, but it helps.  Some of the less bright
> viruses can try to hit my mail server in 10,000 to 20,000 times in
> a single week from a single source.  Why do I need that in my logs?
> (^&

that's true -- and that's why i invert-grep my logs to 'clean' them ;)


--=20
mit vorzueglichster Hochachtung/best regards,

Timo Sch=F6ler
//macfinity -- finest IT services | Triftstrasse 39 | 13353 Berlin |=20
Germany
Fon ++49 30 25 20 30 20 | Fax ++49 30 25 20 30 19
PGP data http://www.macfinity.net/~tis/contact/PGPPKB_timo.schoeler.txt=