[TCLUG] Lots of denied packets. Port 80

Thu Jul 19 16:54:19 CDT 2001

On Thursday 19 July 2001 04:51 pm, you wrote:
> On Thu, Jul 19, 2001 at 11:37:13PM +0200, Thomas Eibner wrote:
> > On Thu, Jul 19, 2001 at 05:28:52PM -0400, Dan Drake wrote:
> > > On Thu, Jul 19, 2001 at 11:23:27PM +0200, Thomas Eibner wrote:
> > > > On Thu, Jul 19, 2001 at 09:16:42PM +0000, kblack at isd.net wrote:
> > > > > Is anybody else running a firewall
> > > > > (and blocking port 80)
> > > > > noticing an unusual number of attacks today?
> > >
> > >   Hmmmm. I'm seeing a lot of weird requests for "default.ida" in my
> > > logs (I'm running a web server and not blocking port 80). The accesses
> > > look weird, too...from a bunch of different IPs. I also have "Malformed
> > > HTTP header" (or something like that) in my error log.
> >
> > 211.236.188.150 - - [19/Jul/2001:23:04:43 +0200] "GET
> > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> >NNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u68
> >58%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000
> >%u00=a  HTTP/1.0" 400 333 "-" "-" ip44-137.asiaonline.net - -
> > [19/Jul/2001:23:12:21 +0200] "GET
> > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> >NNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u68
> >58%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000
> >%u00=a  HTTP/1.0" 400 333 "-" "-" 212.113.168.95 - - [19/Jul/2001:23:32:21
> > +0200] "GET
> > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
> >NNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u68
> >58%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000
> >%u00=a  HTTP/1.0" 400 333 "-" "-"
> >
> > Like these I take it?
>
> The same here from these guys...
>
> 213.26.234.70
> 209.223.50.51
> 207.101.212.130
> 212.163.165.26
> 65.3.198.239
> 198.145.154.193
> 211.62.36.37
> 211.172.225.63
> 202.123.80.2
> 150.164.98.130
> 24.184.153.172
> 133.66.35.7
> 62.49.221.130
> 210.160.177.165
> 12.76.115.253
> 149.169.25.4
> 193.183.19.90
> 66.46.75.98

I could add my own list.....
Just proves how vulnerable windoze is.
This is the last straw for me and my win server.
Now I begin the uphill trek of migrating everything web related off my last 
windoze box and onto my linux server.
(Newbie, been with linux for only a few short months)
-Kevin

>
> florin