I set up my Apache web server three days ago. I have yet to place anything of purpose on the server, just wanted to see if I could get it up and running.

Today I notice I am unable to ftp on my Win box to my linux server (intranet behind a Linksys router/firewall). I made sure ftp was working fine, then noticed the LED lights on both the router and the cable modem were blinking non stop.

I checked the logs from the router and noticed all kinds of requests coming in on port 80 (HTTP). Then I checked the access log from Apache and all the requests are coming from other @home users.

Has anybody else noticed this? Does anybody know why within three days 1 to 5 requests per minute on a server that barely exists?

I have since disabled the forwarding of port 80 to the linux box until I figure out what the heck is going on....

Please let me know if anybody has any suggestions. Thanks

Code Red perhaps?

Please check out this post (http://www.linuxnewbie.org/cgi-bin/ubbcgi/ultimatebb.cgi?ubb=get_topic&f=21&t=002224) for a little more insight. I'd say it's code red; I don't even run Apache and I've got hundreds of DENY's logged to port 80.

On a side from my earlier post, does anybody know where to find a list of what each post does?

I am kind of interested to know what some of the requests coming in mean (eg. Port 111, Port 27374, etc.).

Thanks

I may be wrong but I don't think it's code red viri, doesn't that attact MS servers?

An easy place to start is just take a look at your /etc/services file, scan for the port number mentioned and you can most likely find an appropriate service tied to the port they are trying to access. Also, do a search on google.com (http://www.google.com) for something like 'port 111' and you should see a nice return of links with appropriate information on that port address. Sometimes legitimate ports can masquerade as trojan ports, e.g. a trojan is installed on your machine, and you do a 'netstat -autv' to check for open and listening ports, only to find all the normal things you would expect to see on a UNIX box. In reality though, the trojan is listening on let's say port 113, which would normally be for identd. You think nothing of it, because it doesn't scream "Hey I'm trying to connect to 20 other machines for a DoS attack!!".

Alot of times, though, it's just some script kiddie scanning a wide range of IP addresses to see if there are certain services available, like '25' SMTP. Then they try to exploit that open port, hoping it's running an outdated version of Sendmail or something else with a known exploit. Thats why it's always important to know which services are supposed to be running, which versions you are running, and disable the things you don't need. There are literally hundreds of good resources on the internet about this, including the security NHF's right here (http://www.linuxnewbie.org/nhf/intel/security/index.html). Luck!



From what I understand, code red just scans for an open port 80, you don't have to be running MIIS to be scanned.



[ 05 August 2001: Message edited by: bdl ]

Well check out the headline article on msnbc.
Towards the end of the article a security expert? suggest that the only cure is formatting the hard drive and reinstalling.
BTW, cypunk, it INFECTS Microsoft servers but AFFECTS everyone with increased traffic requesting access to port 80.

http://www.msnbc.com/news/606910.asp

Yup, I keep mothly stats on my site, and after "analog" ran this morning at 4:00 AM I show nearly 300 "404"'s being issued by Apache. Thats only 5 days into the month. There's also a "new" one that sends XXXX instead of NNNNN to overrun the buffer. It's sueprising who has been infected, lots of these are companies, big ones, who should have people who know better. www.raymondjones.net/stats.html (http://www.raymondjones.net/stats.html)
Ray