From owner-freebsd-questions Tue Sep 18 21:43:59 2001 Delivered-To: freebsd-questions@freebsd.org Received: from dv-db.com (dv-db.com [207.159.141.95]) by hub.freebsd.org (Postfix) with ESMTP id A286B37B413 for ; Tue, 18 Sep 2001 21:43:53 -0700 (PDT) Received: from mark2 (host217-35-34-245.in-addr.btopenworld.com [217.35.34.245]) by dv-db.com (8.9.3/8.9.3) with SMTP id FAA27848; Wed, 19 Sep 2001 05:43:34 +0100 (GMT/BST) Message-ID: <036601c140c5$8c289790$0200a8c0@mark2> From: "Mark Hughes" To: "klein brock" , "Brian Whalen" Cc: References: <20010919043057.41265.qmail@web20104.mail.yahoo.com> Subject: Re: virus ? Date: Wed, 19 Sep 2001 05:42:21 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > > that all sounds suspiciously like a code red / > > code blue / nammbaaanada > > > (sp?) virus that's spread onto an area network and > > is trying to infect your > > > machine... > > > > > > I could be wrong, what do others think? > > These > > people are likely not directly attacking you, but > > being unknowing > > participants in this. > what is the possible things on my server that can be > infected by this virus ? Nothing, it only affects microsoft servers but it tries to spread itself indiscriminently by probing in the manner your log shows - looking for those certain files. There's not much you can do about it - and blocking access to that netblock would obviously stop it getting further than your public facing network card... it's an annoyance for you, it's an annoyance for the rest of the world. I'd imagine the best thing to do would be to contact the owner of that netblock of IP addresses and tell them to get their systems patched up to date, ASAP, and in the mean time you could block access from that IP block - it depends what your server is supposed to be doing - if it's running as a gateway machine then it would be unlikely to cause you any problems, if you are running a web or mail server then obviously anyone in that netblock would not be able to access your server - with all the problems that would entail. HTH, Mark To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message