From owner-freebsd-isp Tue Sep 18 17:48:37 2001 Delivered-To: freebsd-isp@freebsd.org Received: from buffnet4.buffnet.net (buffnet4.buffnet.net [205.246.19.13]) by hub.freebsd.org (Postfix) with ESMTP id 4B06337B410 for ; Tue, 18 Sep 2001 17:48:33 -0700 (PDT) Received: from buffnet11.buffnet.net (buffnet11.buffnet.net [205.246.19.55]) by buffnet4.buffnet.net (8.9.3/8.8.7) with ESMTP id UAA27627; Tue, 18 Sep 2001 20:53:59 -0400 (EDT) (envelope-from shovey@buffnet.net) Date: Tue, 18 Sep 2001 20:48:15 -0400 (EDT) From: Stephen Hovey To: Rob Secombe Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Code Red?! In-Reply-To: <3.0.5.32.20010919104530.00795ca0@secombe> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org No I have log junk on virtual hosts On Wed, 19 Sep 2001, Rob Secombe wrote: > Hi, > > I am unfortunate enough to have one NT box :( > > In case any of you are in similar situation this is what I have done. > > These worms appear only to attack using the ip address of the server on > port 80 and not using a name, so at this stage they are not hitting the > virtual webs, only the default web which has virtual directories with > execute permissions set. I have all my customers sites running as virtual > webs and have restricted the default server to just "localhost". The logs > are growing with the rejection messages but I have relocated them to > another drive where it won't hurt if it does fill up. Fingers crossed. > > Cheers > > Rob. > > > At 20:20 18/09/01 -0400, you wrote: > >On Tue, Sep 18, 2001 at 04:17:58PM -0500, > >Eric_Stanfield@kenokozie.com thus sprach: > > > >> I find it interesting that everyone I've talked to today has > >> logged the initial nimda attack within 30 seconds of the time you > >> listed below (after adjusting for timezones). > > > >I've seen an accelleration of the attack this evening [EST]. > > > >I've had log files just exploiding in size. They are growing at > >well over 500 lines per minute. We have a small company doing > >specialized work and we have our own racks in a communications > >facility. The servers have 100Mbit uplinks into the OC-192 > >backbone so I'm not going to be limited by pipe width, which also > >means that I can't get faster too. > > > >I've just turned off all logging for web traffic as I didn't want > >to have the systems fall over for lack of drive space. > > > >Just a reminder here to check your log files to make sure something > >like this doesn't happen to you. > > > >Just a file guess but here the nimda traffic is probably about 5 > >times more than the highest CodeRed days. I'm sure glad I have NO > >MS machines that I maintain but a client has two in our racks and I > >called them about 1030 this AM. I wish them luck. > > > > > >-- > >Bill Vermillion - bv @ wjv . com > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-isp" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message