Attacks on Firewall

[KenReilly]

New to this Forum, hope you can help!! On my Firewall logs on a frequent basis I am getting the following message as a destination:

http://192.168.1.3/default.ida?.

The IP address is just a web server on a DMZ, but can anyone tell me the significance of the "default.ida" file?
I'd appreciate any help!!
Ken

 

[mastergara]

Ken,

default.ida is a file that is typically used in Nimda and Codered infections. My suggestion would be to look into the source IP address that is requesting this, and pray that it is not coming from your internal network.

More information can be found at securityresponse.symantec.com, and if you are indeed infected with a virus on your internal network, I suggest you treat this as a critical issue.

Hope this helps,

-Marc

 

[michigan]

Hi Ken,

The ida file (Internet Data Administration) is usually associated directly with Microsoft's IIS - web server.
Kinda like an admin script. The default.ida is the basic version that runs it.

In a nutshell, someone/somewhere is banging on your network door hoping to find IIS running (unpatched/unprotected). As Marc pointed out, you really don't want this coming from your internal network. If it is, one of your user's PCs (or as you stated an internal web server) may have been compromised, and is in a zombie twist, and/or attempting to get out of your network to do someone elses dirty work.

To see those ida requests in your log is pretty normal. You may even notice *.idq files too. However, usually they are hitting it from the outside.

Good Luck Ken.