Was I hacked?
- Thread starter MoFunk
- Start date
This is the signature of the NimbdaE variant
Bleep
edit===If I were you I would block the entire IP range for Chinanet. 61.138.0.0 - 61.138.63.255
Bleep
edit===If I were you I would block the entire IP range for Chinanet. 61.138.0.0 - 61.138.63.255
That's still going around? MoFunk: Are you running IIS? How about up to date real time AntiVirus? Firewall with no "open" or forwarded ports? Up to date on patches?
Yes on IIS
Vscan checks for updates 3 times daily
Running a smoothwall firewall with a couple forwarded ports. 21 and 80 for ftp and www and 5517 for setiqueue. I also have 2 open for pc anywhere pointing to another computer.
Windows update set to run and install every night.
From the logs they certainly tried the Nimda attacks - looks like your server responded w/ 500 Internal Server Errors however you should check just incase for Nimda symptoms and signs.
I get around 50-60 Nimda, WinMedia, and other overflow/canonicalization attempts per day - the Urlscan IIS Filter chucks them straight out. Set up a default error redirect that serves a google ad to them - you might as well try to make some money of it
All part of the fun of hosting on the web.
I get around 50-60 Nimda, WinMedia, and other overflow/canonicalization attempts per day - the Urlscan IIS Filter chucks them straight out. Set up a default error redirect that serves a google ad to them - you might as well try to make some money of it
All part of the fun of hosting on the web.
404's, 403's, and 500's all around. You're good. For now *evil Yoda eyebrow thing*
Man I hate code red and similar worm thing.
OK, just so I have a handle on this.... Was this a random act, or did someone actaully "try" to break in? I have gathered that no one actually did get in. But I am going to assume that someone deliberatly tried to gain access since if it was a random ping, smoothwall is supposed to drop that.
Actually I am not too worried about it. This is however the exact reason I am using smoothwall instead of setting up IIS on a dsl router. I am able to have my LAN on a "green" network and my WS on an "orange" network. Nice thing about this is that you can get to orange all day long from green or the net, but youcan't get to green from orange so it protects my lan. Granted that nothing is 100% safe ever, but this is pretty damn solid! I can see that having a web server up, even just one for light ftp and playing around is going to be very educational! LOL
Can't be 100% sure, but Code Red and Nimda and all similar worms are automated random attacks. Someone could have tried these on you manually, but that's pretty worthless most of the time. Chances are it was just a random automated attack.
Bleep - How would I figure out the range of this as a CIDR format. I evidently need to use a CIDR number to block a huge range like that. I have googled a bit and talk about over my head!
I do not understand your term.
I use Zone alarm pro and just block the IP address range, you look pretty safe to me. I use Apache so I really dont have to worry about these worms.
Bleep
cleverhandle
Diamond Member
- Dec 17, 2001
- 3,566
- 3
- 81
CIDR = Classless InterDomain Routing = netmasks that don't end on octet boundaries. That is, something more complicated than 255.0.0.0, 255.255.0.0 or 255.255.255.0.Originally posted by: MoFunk
Bleep - How would I figure out the range of this as a CIDR format. I evidently need to use a CIDR number to block a huge range like that. I have googled a bit and talk about over my head!
Warning - I suck at explaining this:
The interesting octet is the third one, where you want to block 0-63. What does that octet look like in binary? Anything from 00000000 (decimal 0) to 00111111 (decimal 63). The last 6 bits don't matter, the first two do. Since the first octet (8 bits), the second octet (8 bits), and the first two bits of the third matter, you've got an 18 bit (= 8 + 8 + 2) netmask. In CIDR terms, that's a netmask of 255.255.192.0 (since those two bits represent 2^7 + 2^6). So block 61.138.0.0 netmask 255.255.192.0. In slash notation, that would be 61.138.0.0/18 (again, 18 bits of subnetting).
I am a little confuse on this one. If the IP is 67.112.218.167, why would you block 61.138.0.0 netmask 255.255.192.0. Am I missing something here?
n0c - what ranges should I block to weed out china, korea and brazil?
MoFunk - here's a link to my 404 errors. http://brotherson.com/awstats/awstats.pl?output=errors404 Again, this is just when the server responded 404. I've got plenty of 500's too....but Nimda and Code Red, etc are all sheerly random, unless you've been infected before by those. Then your IP is on a list on another infected machine and it tries to reinfect your box. Not a whole lot to worry about as long as you're patched and have active AV/firewall which you mention you do. Just keep patched 100% all the time.
MoFunk - here's a link to my 404 errors. http://brotherson.com/awstats/awstats.pl?output=errors404 Again, this is just when the server responded 404. I've got plenty of 500's too....but Nimda and Code Red, etc are all sheerly random, unless you've been infected before by those. Then your IP is on a list on another infected machine and it tries to reinfect your box. Not a whole lot to worry about as long as you're patched and have active AV/firewall which you mention you do. Just keep patched 100% all the time.
Originally posted by: PorBleemo
Why would you want to block IP address' from entire foreign countries?
1. I have no business with those countries. I'd personally block them from making connections, as opposed to responding to requests. Companies that do no business with those countries, and CAN do no business with those countries should consider blocking them.
2. Look at your over abundant security logs. Other than the usual automated crap still floating around (PATCH YOU FREAKING MACHINES PEOPLE!), you might just see a lot of traffic from the countries mentioned. China, Korea, and Brazil are notorious for being the source of a great number of attacks.
Blocking ranges is probably overkill - I get more attack traffic from comcast and verizon subnets than overseas.
No kidding - having a machine without a software or hardware firewall is just plain reckless - even low-usage dial-up users should worry.
No kidding - having a machine without a software or hardware firewall is just plain reckless - even low-usage dial-up users should worry.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 21K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter