Re: Interesting Apache logs
From: those who know me have no need of my name (not-a-real-address@usa.net)Date: 03/25/02
- Next message: Alan J. Flavell: "Re: Interesting Apache logs"
- Previous message: Barry Margolin: "Re: Interesting Apache logs"
- In reply to: Alan J. Flavell: "Re: Interesting Apache logs"
- Next in thread: Brian A Crawford: "Re: Interesting Apache logs"
- Reply: Brian A Crawford: "Re: Interesting Apache logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: those who know me have no need of my name <not-a-real-address@usa.net> Date: Mon, 25 Mar 2002 22:04:46 -0000
<Pine.LNX.4.40.0203252217440.6865-100000@lxplus034.cern.ch> divulged:
>On Mar 25, Barry Margolin inscribed on the eternal scroll:
>> I suspect most of the infected machines are not operated by
>> professional administrators, but are simply home machines. They're
>> more likely ignorant than lazy.
there are an unfortunately large number of "web site admins" which still
have no idea what services are installed when win2k server is installed.
nor that it contains a huge security hole. and they let them sit there,
running and unpatched while they "do some stuff" (which usually means
installing coldfusion or whatever the hell), and by the time they notice
the load going through the roof it's too damn late and you have to get
them to start over. (to the whiney tune of "isn't their a removal
tool?!?!?!".)
>Indeed. However, all of them are connected somehow to the Internet,
>by some provider who's supposed to know what they're doing, and who
>could - and should - be preventing their users from abusing the 'net.
most isp's, as is common for most living creatures, doesn't want to
spend money on anything they can find a way to avoid. sure the rules
that you can add to your cisco can stop code red and nimda (and their
ilk, along with most overflow attempts) cold, but it takes just a bit of
the processing power of the platform that could otherwise be used to
provide service to one more paying customer insted.
>(My home campus for example is monitoring traffic for evidence of
>code-red and similar probes, and is known to have blocked the IP of
>several infected stations pending resolution of the problem.)
this is a boring solution, in that it blocks potential viewers using the
infected machine from visiting you or your customer's web sites. rate
throttling packets that match the signatures to 0 b/s is much better;
good traffic still comes through, bad traffic is history.
-- bringing you boring signatures for 17 years
- Next message: Alan J. Flavell: "Re: Interesting Apache logs"
- Previous message: Barry Margolin: "Re: Interesting Apache logs"
- In reply to: Alan J. Flavell: "Re: Interesting Apache logs"
- Next in thread: Brian A Crawford: "Re: Interesting Apache logs"
- Reply: Brian A Crawford: "Re: Interesting Apache logs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
