Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Wondering what this could be?

Status
Not open for further replies.
brettr1234

brettr1234

Technical User
Jun 2, 2002
42
CA
hey i was checking out the error log and i saw a whole bunch of this kind o fthing

[Thu Jun 6 01:44:51 2002] [error] [client 65.27.109.205] File does not exist: /var/[Thu Jun 6 01:44:56 2002] [error] [client 65.27.109.205] File does not exist: /var/[Thu Jun 6 01:44:56 2002] [error] [client 65.27.109.205] File does not exist: /var/[Thu Jun 6 01:44:59 2002] [error] [client 65.27.109.205] File does not exist: /var/[Thu Jun 6 01:44:59 2002] [error] [client 65.27.109.205] File does not exist: /var/[Thu Jun 6 05:56:23 2002] [error] [client 12.228.105.117] File does not exist: /var/ accept/default.ida
[Thu Jun 6 05:56:23 2002] [error] [client 12.228.105.117] File does not exist: /var/ accept/var/[Thu Jun 6 07:49:21 2002] [error] [client 210.100.178.4] File does not exist: /var/

Could it be a hack attempt or what?

Thanks
Brett
 
Sort by date Sort by votes
That's some IIS box that is infected with a worm, probably CodeRed or Nimda. The worm is trying to infect your server, too. Luckily, you are running Apache, so you don't have to worry about things like CodeRed or Nimda.

What I do is monthly extract messages of that kind from the server logs, extract the IP addresses of the offending server, and report the problem to the owner of the network from which the infection attempt came.
 
Upvote 0 Downvote
Thanks dude, now i am just wondering how i can contact the net admin hehe
 
Upvote 0 Downvote
The only hope you have is pointing a whois client to whois.arin.net, and putting in the IP address as the query.

For example, when I asked ARIN about the IP address of it returned the following:

MDM iNet, LLC (NET-USNET-2001-03) USNET-2001-03 212.45.0.0 - 212.45.127.255
Tecumseh Group (NETBLK-MDMI-212-45-19-32) MDMI-212-45-19-32
212.45.19.32 - 212.45.19.47:


This tells me that the IP address is controlled by the Tecumseh Group (line 3), and their ISP is MDM iNet, LLC (line 1).

If I query ARIN again using "!NETBLK-MDMI-212-45-19-32" as the query, it will return:

Tecumseh Group (NETBLK-MDMI-212-45-19-32)


Netname: MDMI-212-45-19-32
Netblock: 212.45.19.32 - 212.45.19.47

Coordinator:
Murphy, David (DM2233-ARIN) xxx@tecumsehgroup.com

Record last updated on 30-Mar-2002.
Database last updated on 5-Jun-2002 20:01:24 EDT.


If the offending contacts had come from Tek-Tips' IP address, I'd now know who to contact.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

kristiandg
  • Locked
  • Question
Linux, "port mirror" between two boxes...
Replies
0
Views
126
kristiandg
kristiandg
w5000
  • Locked
  • Question
mounting a filesystem multiple times - what sense?
Replies
7
Views
345
ChrisHirst
ChrisHirst
bazil2
  • Locked
  • Question
Does a tape library need to be 'mounted' after connecting it to fibre card?
Replies
1
Views
71
bazil2
bazil2
samiramiss
  • Locked
  • Question
Unfamiliar behavior of "setdscp" in IPFW
Replies
0
Views
81
samiramiss
samiramiss
bazil2
  • Locked
  • Question
Read line from file after marker and ignore characters before - can this be done? 1
Replies
2
Views
61
bazil2
bazil2

Part and Inventory Search

Sponsor

Back
Top