Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
>aint it trying to hack into an iis server?
Yup, another IIS ASAPI overflow. Sad part is the patch for this from MS has been out forever and my apache log is still filling with these requests. Hard to decide who to blame...MS for not checking their code or the lazy sysamins who can't take the time to patch there winblows servers.
Hmm, i got that same line in my access_log as well.
So, that will only affect window's servers or is my linux server affected as well? Cuz now im starting to get worried that my linux server has a worm...
Nope it only afffects microsoft servers that run the IIS web server and don't have the patch installed. Your linux box is fine. Get used to seeing those in your logs though, because you will see them over and over. If you're worried about worms, download and run chkrootkit.
well it is still a problem for Apache/Linux users even though it cannot affect Linux in the way it does Windows. The problem is that these annoying attacks can make a real dent in the bandwidth available to your legit users. It can waste alot of admin time, I HATE scrolling through lines of Code Red and CRII log entries just to look at real server data.
lol, When I first read this I was gonna say...you must not get alot of attacks, I don't have 2 hours a day just for logging IP's and then adding them to /etc/hosts.deny! Looks like you don't either. I wish ISP's or traffic aggregates would actually do something about the host networks for the machines that are STILL running these f&*^$@g code red variants. You know I have probably sent a hundred or so emails to various abuse@someisp.com addresses for different problems with attacks or scanners/viruses and have never ONCE gotten a reply. Just this weekend one of my mail servers got bombed by a spam email server in Germany. I mean, all relaying is denied but this damned box would not stop. It chaps my hide that I have to start creating iptables rules because of losers like that.
If you scroll to the right hand side you will see three graphs... default.ida, cmd.exe, and root.exe. These are graphs (which you can click on) displaying how often these worms hit your web server. HotSaNiC works on all CLF log files too.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.