[ale] New Virus???
Transam@cavu.com
transam at cavu.com
Mon Aug 6 15:15:32 EDT 2001
> Ever since Wednesday (8/1) I've seen a tenfold increase in the number of
> connection attempts logged on my firewall. The interesting thing is
> almost all of these attempts are for port 80. Ordinarily, I get about
> 2-to-5 connection attempts per day and 99% are for ports 27374 or 111.
> But beginning Wednesday there has been a surge of attempts for port 80,
> comming in from all over the internet.
>From /etc/services:
sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP
sunrpc 111/udp portmapper # RPC 4.0 portmapper UDP
Portmap (port 111) and DNS (named port 53) are two very popular way
to break into Linux & Unix systems because so many people are running
unpatched software. Be sure that you are not runing portmap and NFS
(port 2049) so as to be accessible from the Internet. Avoid running
DNS unless necessary. If necessary, ensure that it is not running as root.
asp 27374/tcp # Address Search Protocol
asp 27374/udp # Address Search Protocol
> Is there a new hole discovered in Apache?
None reported.
> Or is this the big "Code Red" hole in M$'s IIS servers?
Your logs indicate that this is a IIS attack.
My new candid interview is up on
http://www.linux.org
or
http://www.linux.org/people/toxen.html
Bob Toxen
transam at cavu.com [Bob's ALE Bulk email]
bob at cavu.com [Please use for email to me]
http://www.cavu.com
http://www.realworldlinuxsecurity.com/ [My book:"Real World Linux Security"]
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list