[Snort-users] Is someone hacking?
mkettler at ...4108...
Wed Jan 2 08:34:10 EST 2002
What you saw is typically what happens when code red and similar derived
worms attempt to infect a webserver. Some manual "hack in" scripts use
these techniques as well. I typically see these at a rate of about 2 a week
against a webserver (which is not vulnerable), sometimes more, sometimes less.
So it is clear an attempt was made to infect your server, but that does not
mean it was successful.
If your webserver server is Microsoft IIS based and has not had IIS patches
applied for quite a while (8 months or so), you've likely been hit by code
red or some other worm. The directory traversal holes used by this worm are
quite old so if you patched IIS recently you should be fine. Be aware that
windows update does not patch IIS, those updates must be manually
downloaded from Microsoft's website, or received on CD via technet
(downloads are my recommendation, CDs take too long to arrive).
If your server is up-to-date, or non-windows based, you're likely fine. If
you are not sure, look up info on the worm at your favorite anti-virus or
security website (norton,McAfee, securityportal.com, etc) and check.
Even if you aren't infected, you should probably check for updates to your
servers OS and webserver, if for no other reason than peace of mind. And
check back regularly for future updates. After all, there's a reason they
say security is a process not just a product.
At 11:44 AM 1/2/2002 +0100, you wrote:
>I get a lot of alerts like this: WEB-IIS cmd.exe access and like this
>WEB-IIS CodeRed v2 root.exe access. How will I know if the server has been
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users