|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Jeff Jirsa (jjirsa
hmc.edu)Date: Fri Mar 08 2002 - 00:03:03 CST
> Hello,
>
> I've been going through docs and all signs
> indicate that this is a system infected with code red.
Heh, no.
> [Fri Mar 8 00:00:50 2002] [error] [client
> 195.218.232.26] File does not exist:
> /usr/local/www/data/default.ida
> [Fri Mar 8 00:06:47 2002] [error] [client
> 217.128.238.66] File does not exist:
> /usr/local/www/data/default.ida
> [Fri Mar 8 00:09:46 2002] [error] [client
> 24.61.208.188] File does not exist:
> /usr/local/www/data/default.ida
> [Fri Mar 8 00:17:40 2002] [error] [client
> 61.132.208.81] File does not exist:
> /usr/local/www/data/default.ida
> [Fri Mar 8 00:26:55 2002] [notice] caught SIGTERM,
> shutting down
>
> If so, does anybody know how to break this down?
You're slightly misled. The default.ida scans are probably looking for a
vulnerable IIS server, but apache certainly isn't vulerable. It happens
almost daily, to everyone (Its happened 73 times to me, since my logs were
rotated last):
# ~ : grep default.ida /usr/local/etc/apache/logs/httpd-access-log | wc -l
73
The message you're seeing is apache not finding the file default.ida (it
would return 404 to the client). It's nothing to be worried about (annoyed,
irritated, maybe, but not worried). I'm assuming the term signal was
something unrelated, like a planned shutdown.
- Jeff Jirsa
jjirsahmc.edu
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]