Date: Wed, 19 Sep 2001 10:45:30 +1000 From: Rob Secombe <robseco@teksupport.net.au> To: freebsd-isp@freebsd.org Subject: Re: Code Red?! Message-ID: <3.0.5.32.20010919104530.00795ca0@secombe> In-Reply-To: <20010918202005.B19613@wjv.com> References: <OFFB70F3BC.75A1E6DC-ON86256ACB.0073FE26@kka.com> <OFFB70F3BC.75A1E6DC-ON86256ACB.0073FE26@kka.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, I am unfortunate enough to have one NT box :( In case any of you are in similar situation this is what I have done. These worms appear only to attack using the ip address of the server on port 80 and not using a name, so at this stage they are not hitting the virtual webs, only the default web which has virtual directories with execute permissions set. I have all my customers sites running as virtual webs and have restricted the default server to just "localhost". The logs are growing with the rejection messages but I have relocated them to another drive where it won't hurt if it does fill up. Fingers crossed. Cheers Rob. At 20:20 18/09/01 -0400, you wrote: >On Tue, Sep 18, 2001 at 04:17:58PM -0500, >Eric_Stanfield@kenokozie.com thus sprach: > >> I find it interesting that everyone I've talked to today has >> logged the initial nimda attack within 30 seconds of the time you >> listed below (after adjusting for timezones). > >I've seen an accelleration of the attack this evening [EST]. > >I've had log files just exploiding in size. They are growing at >well over 500 lines per minute. We have a small company doing >specialized work and we have our own racks in a communications >facility. The servers have 100Mbit uplinks into the OC-192 >backbone so I'm not going to be limited by pipe width, which also >means that I can't get faster too. > >I've just turned off all logging for web traffic as I didn't want >to have the systems fall over for lack of drive space. > >Just a reminder here to check your log files to make sure something >like this doesn't happen to you. > >Just a file guess but here the nimda traffic is probably about 5 >times more than the highest CodeRed days. I'm sure glad I have NO >MS machines that I maintain but a client has two in our racks and I >called them about 1030 this AM. I wish them luck. > > >-- >Bill Vermillion - bv @ wjv . com > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-isp" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20010919104530.00795ca0>