wierd things in my apache logs

i have over 2000 entries that look like this



all the requests are for cmd.exe or root.exe

a little diggin around and it looks as if it is that nimda p.o.s. tryin to get into my machine

http://www.cert.org/advisories/CA-2001-26.html

the IP that is listed is one within my provider's ip range (4.46.___.___)
so, being that im runing apache on redhat 8.0 im pretty sure that im not vulnerable to this bugger

but 2000 entries makes me a bit nervous as im really new to running a server or workin w/ *nix at all.............

so my question is: should I-

-tell my isp about the IP's that are listed here that are tryin to get into my machine (although theres over 2000 entries, it looks as if the requests are coming from just a handfull of machines)

-block the ips somehow (hosts.deny??? i dunno here plz help me out.)

-or just ignore it cuz nimda is a windoze bug and im not vulnerable (i think)



thanks for the help

-jc

You're not vulnerable, I would ignore them.

You could block them at your firewall with ipchains, but that's more trouble than it's worth, as these requests don't do any harm other than the minute resources needed to return a 404.

Reporting them to your ISP will most likely get you nowhere either. I'd just ignore them and curse windows.

thanks for the reply man...

good to know that theres no need to worry about them..




-jc

The more you watch your log files the more you will see more windows exploits that have been tried against your linux box. Morons with infected computers and script kiddies will continue to try and exploit web servers, but pretty much all the exploits are a MS problem so you just don't have to worry.

Don't worry about it man. I had my one site up for 24 hours when, amused by the log, I decided to parse it and counted:

16 nimbda attempts
42 (I kid not: FOURTY TWO) attempts on formmail.pl
2 code red probes
1 googlebot (that was quick)
2 valid hits
A handful of 404s that I never managed to discern what the idiots were trying to do.

I don't use formmail.pl ... so I didn't have a thing to worry about. Apache log files usually look much worse than they really are thanks to Windoze

Disclaimer: it's been a while since I did that... so some numbers may not be accurate, but I'm pretty sure they're right.

Just be careful you're not running formmail.pl or formmail.cgi as those are the most common ones we tend to get and they are apparently vunerable to spammers.

Trev

It's a stupid Matt Wright script that allow nasty people to send 'anon' emails off your server. You can use it, just make sure you have the patched code, not the old, broken code.

Were you warning me, or him, BTW? Just curious, because I already said I don't use it.

Trouble with all these mailing scripts seems to be that they expose the e-mail address just ready for spam bots to pick up. Ended up rolling my own form script which holds it internally - seems to reduce the spam as well already...



Partly the original poster and partly just anyone who hadn't heard about it - don't think many hosting companies would be too impressed if a spam run ran from a formmail.pl script.

Trev
--
http://www.aardvarksport.net/