Whats all this incoming traffic on port 80...

...considering my webserver is on another port?

It's a good day NOT to be running IIS, isn't it?

Jul 19 13:49:11 myhost kernel: Packet log: input DENY eth0 PROTO=6 216.227.20.65:54678 123.123.123.123:80 L=48 S=0x00 I=7305 F=0x4000 T=113 SYN (#22) Jul 19 13:49:17 myhost kernel: Packet log: input DENY eth0 PROTO=6 216.227.20.65:54678 123.123.123.123:80 L=48 S=0x00 I=7585 F=0x4000 T=113 SYN (#22) Jul 19 13:55:42 myhost kernel: Packet log: input DENY eth0 PROTO=6 24.48.105.64:1145 123.123.123.123:80 L=48 S=0x00 I=56895 F=0x4000 T=116 SYN (#22) Jul 19 13:55:45 myhost kernel: Packet log: input DENY eth0 PROTO=6 24.48.105.64:1145 123.123.123.123:80 L=48 S=0x00 I=57004 F=0x4000 T=116 SYN (#22) Jul 19 13:55:51 myhost kernel: Packet log: input DENY eth0 PROTO=6 24.48.105.64:1145 123.123.123.123:80 L=48 S=0x00 I=57279 F=0x4000 T=116 SYN (#22) Jul 19 14:31:59 myhost kernel: Packet log: input DENY eth0 PROTO=6 213.77.64.223:3757 123.123.123.123:80 L=48 S=0x00 I=43080 F=0x4000 T=109 SYN (#22) Jul 19 14:32:02 myhost kernel: Packet log: input DENY eth0 PROTO=6 213.77.64.223:3757 123.123.123.123:80 L=48 S=0x00 I=43192 F=0x4000 T=109 SYN (#22) Jul 19 14:32:08 myhost kernel: Packet log: input DENY eth0 PROTO=6 213.77.64.223:3757 123.123.123.123:80 L=48 S=0x00 I=43428 F=0x4000 T=109 SYN (#22) Jul 19 14:35:43 myhost kernel: Packet log: input DENY eth0 PROTO=6 202.205.160.23:1574 123.123.123.123:80 L=48 S=0x00 I=11607 F=0x4000 T=110 SYN (#22) Jul 19 14:35:45 myhost kernel: Packet log: input DENY eth0 PROTO=6 202.205.160.23:1574 123.123.123.123:80 L=48 S=0x00 I=11710 F=0x4000 T=110 SYN (#22)

Probably because he doesn't have one. There's an IIS worm going around that probes random IP's to try to find new hosts to infect. Several hundred thousand IIS machines have been infected. All sorts of fun effects from this probing are being reported, including DSL routers that crash when probed, HP Jet Direct cards than hang, etc.

How quickly people forget the Ramen worm and it's cousins which effected thousands of Red Hat boxes.

Yep,

27 attempts on my measly apache server in the backwoods of the internet. I had a laugh, and then I started thinking about my usage limits. Then I got mad. Also a laugh on a different topic: I got stuck on a network segment with a bunch of Winboxen. My firewall logs are overflowing with port 137 probes. Grrrr...

1. This worm is of an order of a magnitude (or 2) bigger than the ramen exploit. 2. There are so many patches for IIS, it is no wonder even the more clueful Win admins can't keep up. 3. Case in point: even Windows Update was hit. So even MS can't keep their boxen patched. AFAIK Red Hat avoided being hit by the ramen worm.

So all in all I think you're comparing apples and oranges again.

And, has been pointed out, there are many more Windows web servers on the internet.

This is bullshit, since windowsupdate will tell you what security updates need to be applied.

I'm not so sure about that. I've not seen any verifiable proof of windowsupdate being hit. One person claimed that they thought it was hit, but their web cache had been compromised by the worm instead and made it appear that way.

None of the major services have carried the news, and attrition.org doesn't seem to be updated at all since may, which was the only reliable source of such claims. The register is not a reliable source, since they print anything someone says without verifying facts.

Wasn't Red Hat's site also a victim of the ramen worm?

I see a lot of that too. Welcome to the world of the future!

That's not how you can tell if it's the worm. The worm uses a connection string which is quite long and filled with N's

Then your ISP is being stupid by allowing netbios over the wire.

Oh, I didn't forget. It's just that the IIS thing seems to be much worse for a couple of reasons:

1. A _much_ higher rate of successful infection than Ramen. At least one and possibly two orders of magnitude more infections reported.

2. The probing that the worm does seemed to be causing all kinds of secondary problems. That wasn't the case with Ramen.

Keep those patches current!

Well I did a 'grep default.ida /var/log/apache/access.log wc -l' and it came out with 27. Since 'default.ida' is the signature string for this worm, I think my 27 hits are genuine hack attempts. I wonder how much of those Win2K servers on my cable segment were compromised.

Well thank $DEITY! My ISP has a sensible policy: you can run servers as long as you don't cause any inconvenience to the other users on your segment. I don't cause any inconvenience, since I use my webserver primarily to communicate with my friends. I post info on our D&D campaign I just started on the web, and my friends just love the idea. They can bookmark the site, and come to our Saturday night sessions fully prepared. (For those that like D&D, you're welcome to take a look, but don't expect much as I am concentrating on getting the info out at the expense of nice looks at the moment).

79.84% of all statistics are made up on the spot. The other 42% are made up later on. In Warwick - looking at flat fields and that includes the castle.