Successful probes of my server
Michael E. Webster
mwebster at intercosmos.com
Fri Aug 13 22:02:33 UTC 2004
According to a thread at http://www.webmasterworld.com/forum39/2173.htm
its the IIS WebDAV exploit:
http://edgeos.com/threats/details.php?id=11413
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx
I normally run portsentry. It catches alot of scans coming across the
net.
Mike.
On Fri, 2004-08-13 at 18:00, Michael Mansour wrote:
> Hi,
>
> I'm using Logwatch 5.2.2 and in email today it emailed
> me the following:
>
> --------------------- httpd Begin
> ------------------------
>
> A total of 4 sites probed the server
> 203.218.141.123
> 203.206.246.90
> 203.218.200.154
>
> !!!! 3 possible successful probes
> /css/phpmyadmin.css.php?js_frame=left&num_dbs=0 HTTP
> Response 200
>
> /css/phpmyadmin.css.php?lang=en-iso-8859-1&js_frame=right
> HTTP Response 200
>
> /css/phpmyadmin.css.php?lang=en-iso-8859-1&js_frame=left&num_dbs=0
> HTTP Response 200
>
> ---------------------- httpd End
> -------------------------
>
> What does this mean exactly?
>
> In my /var/log/httpd/access.log I see the following
> for 203.218.141.123:
>
> 203.218.141.123 - - [13/Aug/2004:21:43:40 +1000]
> "SEARCH
> /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
> 2\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
>
> which goes on for a couple of pages. I think the above
> is from a virus on their systems, but the probing
> stuff concerns me.
>
> I'm running phpMyAdmin 2.5.7-pl1, the latest stable.
>
> Thanks.
>
> Michael.
>
> Michael.
>
> Find local movie times and trailers on Yahoo! Movies.
> http://au.movies.yahoo.com
>
More information about the fedora-list
mailing list