[PLUG] Good grief, Charlie Brown (massive worm assault)
Sandy Herring
sandy at herring.org
Sun May 25 20:57:01 UTC 2003
On Sun, 25 May 2003, Steven A. Adams wrote:
> On Sun, 2003-05-25 at 15:29, Sandy Herring wrote:
> > Any other webmasters logging traffic like this? Any idea what flavor of worm
> > is at work? This guy consisently got redir'd since his browser reports
> > neither referer nor agent...
> >
>
> It's probably a nessus scan ( www.nessus.org ). Everything in the logs
> that you included looks like it's focused at Windoze and nessus is built
> to scan for these vulnerabilities and much more. If your machine isn't
> an IIS box I wouldn't worry - unless this sort of stuff continues.
>
> Steve
Steve,
Thanks for the nessus pointer. I wasn't aware of this tool (looks
interesting). However, the scan didn't come from the LAN side of my
firewall, it came from Taiwan - which leads me to believe that either:
(1) the originating host was infected with a worm, or
(2) if it was nessus at work, they had misconfigured it, since (quoting the
nessus FAQ)...
1.5.5. What kind of a hole must I punch in my firewall to let nessus do it's
job?
To be honest: If you put any kind of firewall on the nessus server or
between the nessus server and the host you are trying to test you will get
a distorted result. You will not be able to rely on the results from your
scan.
Putting a firewall on the nessus server to secure the nessus server is an
incorrect approach. (Or at least an incomplete approach.) Harden the
server instead.
If you have a firewall between the host you are about to test and the
nessus server then you will get a result that is not similar to that of
testing the host directly. This may be the desired result. If you want to
be 100% sure you have hardened you host you should not rely on a firewall
in front of it.
cheers,
Sandy
--
Sandy Herring, RHCE o sandy at herring.org
Peck of Pickled Pisces __ o http://herring.org/
UNIX or Web authoring questions? |\/ o\ o http://herring.org/finger.html
->http://herring.org/techie.html |/\__/ http://herring.org/pub-key.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.pdxlinux.org/pipermail/plug/attachments/20030525/1b30f8b4/attachment.asc>
More information about the PLUG
mailing list