Date: Wed, 19 Sep 2001 11:09:06 +1000 From: Rob Secombe <robseco@teksupport.net.au> To: freebsd-isp@FreeBSD.ORG Subject: Re: Code Red?! Message-ID: <3.0.5.32.20010919110906.0377d560@secombe> In-Reply-To: <Pine.BSF.4.05.10109182048060.4221-100000@buffnet11.buffnet .net> References: <3.0.5.32.20010919104530.00795ca0@secombe>
next in thread | previous in thread | raw e-mail | index | archive | help
Yeah you're right. I have just noticed a couple of the virtual webs have been hit as well, but not nearly as often. So far it hasn't had any success finding anything to execute. Commenced nail biting. Rob. At 20:48 18/09/01 -0400, Stephen Hovey wrote: >No I have log junk on virtual hosts > >On Wed, 19 Sep 2001, Rob Secombe wrote: > >> Hi, >> >> I am unfortunate enough to have one NT box :( >> >> In case any of you are in similar situation this is what I have done. >> >> These worms appear only to attack using the ip address of the server on >> port 80 and not using a name, so at this stage they are not hitting the >> virtual webs, only the default web which has virtual directories with >> execute permissions set. I have all my customers sites running as virtual >> webs and have restricted the default server to just "localhost". The logs >> are growing with the rejection messages but I have relocated them to >> another drive where it won't hurt if it does fill up. Fingers crossed. >> >> Cheers >> >> Rob. >> >> >> At 20:20 18/09/01 -0400, you wrote: >> >On Tue, Sep 18, 2001 at 04:17:58PM -0500, >> >Eric_Stanfield@kenokozie.com thus sprach: >> > >> >> I find it interesting that everyone I've talked to today has >> >> logged the initial nimda attack within 30 seconds of the time you >> >> listed below (after adjusting for timezones). >> > >> >I've seen an accelleration of the attack this evening [EST]. >> > >> >I've had log files just exploiding in size. They are growing at >> >well over 500 lines per minute. We have a small company doing >> >specialized work and we have our own racks in a communications >> >facility. The servers have 100Mbit uplinks into the OC-192 >> >backbone so I'm not going to be limited by pipe width, which also >> >means that I can't get faster too. >> > >> >I've just turned off all logging for web traffic as I didn't want >> >to have the systems fall over for lack of drive space. >> > >> >Just a reminder here to check your log files to make sure something >> >like this doesn't happen to you. >> > >> >Just a file guess but here the nimda traffic is probably about 5 >> >times more than the highest CodeRed days. I'm sure glad I have NO >> >MS machines that I maintain but a client has two in our racks and I >> >called them about 1030 this AM. I wish them luck. >> > >> > >> >-- >> >Bill Vermillion - bv @ wjv . com >> > >> >To Unsubscribe: send mail to majordomo@FreeBSD.org >> >with "unsubscribe freebsd-isp" in the body of the message >> > >> > >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-isp" in the body of the message >> > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20010919110906.0377d560>