Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Mark on June 25, 2003, 11:36:17 PM

Title: possible virus ?
Post by: Mark on June 25, 2003, 11:36:17 PM

I spotted the following in my http log:

GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

Is evidence of nimda or code red? Something else? Where should I go for more information?

Title: Re: possible virus ?
Post by: Charlie Brady on June 26, 2003, 01:04:20 AM

Mark wrote:

>  Where should I go for more information?

The search button on this page. All dates. Or google.

Charlie

Title: Re: possible virus ?
Post by: RayG on June 26, 2003, 11:26:42 PM

I ended up blocking all web access from 24.x.x.x to keep my logs from filling u with this sillyness. I thought my isp would be interested in who had infected machines on their network but they pretty much told me to mind my own business. Between this and one other virus/worm, I was getting an average of 30 log entries every minute. The 24.x.x.x block has knocked it down to about 5 virus related entries per day.

Title: Re: possible virus ?
Post by: Dan Brown on June 26, 2003, 11:42:18 PM

Why on earth would you do that?  Unless you're really tight for drive space, this doesn't hurt anything--but now you've killed web access to your server from a very large block of the internet.

Title: Re: possible virus ?
Post by: Guck Puppy on June 26, 2003, 11:53:20 PM

Personally, I installed snort and guardian. I still get the attacks (834 since May 11th) but they're blocked and the offending ip is blocked for 24 hours.

G

Title: Re: possible virus ?
Post by: Guck Puppy on June 26, 2003, 11:56:36 PM

Incidentally, I've only had 53 *unique* alerts.

I'd be interested to know the stats from other e-smith snort acid users...?

G

Title: Re: possible virus ?
Post by: Mark on June 27, 2003, 12:45:44 AM

thanks for the replies. A search on the archive for "default.ida" was interesting. I got more matches today that before; must have limited the search in some way.

I have been considering snort + guardian. Someone suggested placing empty files named appropriately as a remedy, such as "default.ida" and "cmd.exe".

I like the idea of replying a la grilli.net but seems like it would increase traffic needlessly.

Title: Re: possible virus ?
Post by: RayG on June 27, 2003, 11:12:53 PM

"Why on earth would you do that? Unless you're really tight for drive space, this doesn't hurt anything--but now you've killed web access to your server from a very large block of the internet."

I'm not tight for drive space but the huge logs make backups take a lot longer and require more external storage space.

I hated wadeing through all that nonsense to see the real info in the logs.

Also as I understand the operation of the two viruses in question, they check active web servers for a whole slew of files. If they don't get a responce from a probed address, they don't probe again for quite a while. If they do get a valid responce from the first probe, they check for a half dozen other files. And then probe that IP again every hour. So while SME is imune to the attack from an infection point of view, the attacks still eat bandwidth. And on my connection that bandwidth consumption was pretty severe. Hundreds of seperate hosts every day from 24.x.x.x ip's.

I'm aware that I've killed web access from a large piece of the net but I'm not that concerned about it. I don't have much to offer on my server. It's primarily for my personal use.

I suspect there is a way to inspect the packets in detail and drop the ones looking for particular files. But I havn't learned enough to do that yet.