> From what i read about the 'Code Red'-worm, it was supposed > to be scanning > for IIS-servers. It obviously is'nt, i believe it tries to infect > everything they find on port 80, or something as simple as that. I suspect you're right. I've noticed exploit attempts on all web servers here, but only one of them is running IIS. The IDS has been monitoring a rapid increase in IIS related attacks, which are presumably related to this worm. It started about 2-3 days ago, but the last 24 hours have been particularly intense. It's certainly not picky about what servers it will try and attack (though I can't see the exploits succeeding on the UNIX Apache servers ;) ). > About three to four days ago, i started to get those > default.ida-GET's in > my Apache-logs. I shut down the server as fast as i could, > and checked for > outgoing connections from my computer, and then did some research. > I was told that it was an IIS-worm, and that it could'nt affect > Apache-servers, so i was safe. I turned the server back on, > and from that > day i have received forty-one attempts. I've had a lot more than 41. Every attempt is logged and archived here.
This archive was generated by hypermail 2b30 : Thu Jul 19 2001 - 18:00:47 PDT