Re: [cobalt-users] Extensive Hack Attack - Was C drive hack

["Jamie Martino" <webmaster1@xxxxxxx>]

> > Hello list, I did this:
> >
> > cat /var/log/httpd/access | grep cmd.exe | wc -l
> >
> > and I got over 5000 hits for it already since log rotation at
> > 4:30am...  it
> > is now almost 3:00pm...  I did a tail -f and all I can see is this
thing..
> > We got more than 200 hits in less than 15 minutes and it's only gonna
get
> > worse..  :(
> >
> In my area it was (is) very bad. This morning that command reported just
> short of 15,000 hits on cmd.exe
>
> --sig
>
> Paul Alcock
> Get an account at http://www.ourfaqsite.com
> and keep your FAQs up to date.

It's getting worse...
I changed the following from:

cat /var/log/httpd/access | grep cmd.exe | wc -l

to:

cat /var/log/httpd/access | grep .exe | wc -l

That upped the number of hits greatly since some of the attempts access
other .exe files than just the cmd.exe...
I Figure since I am on a Linux box there shouldn't be requests for ANY .exe
files at all..  This worm is a nuts, but can routers be configured to drop
the packets before they make it into the web servers down at my NOC???  And
if so, how would I do that..  I would prefer to know how just in case the
NOC guys don't...

-Jamie-
http://w-c.net
WebConnection.Net, Inc.
In a mad world, only the mad are sane...