[thechat] Server Attacks

Andrew Forsberg andrew at thepander.co.nz
Tue Oct 30 00:36:28 CST 2001

Hi All

I was hoping one of the server-engineer types out there could help me 
out. This isn't strictly web-dev related, more slightly amusing / 
annoying, so I thought the chat might be a better forum.

I have a testing box setup locally -- it's only accessible externally 
via a dynamic IP, which is fine for what I'm using it for. The thing 
is, I've had over 80 unique IPs (all from a certain Korean 
university: they will remain nameless:) attempt the exact same IIS 
attack on it within an 8 hour working day.

For one, the box is serving up 401s to absolutely everything -- so 
what's the point?; two, the addresses are not advertised -- is this 
likely to be an IIS worm scanning IP ranges?; and three, it's a linux 
box for god's sake -- why keep banging on with IIS hacks? This last 
point, if not the previous ones, indicates that it must be a server 
worm or some brain-dead student who's sure he / she is onto something.

Anyhow, uselessness of the attack aside: I've never seen anything 
like it in the logs of sites hosted by my ISP. Is their some fancy 
way to filter out this sort of thing? It really is simply annoying 
and bandwidth/processor-cycle wasting, not a danger at all. Still, 
I'm intrigued.

Any ideas?


Andrew Forsberg
uberNET - http://uber.net.nz/
the pander - http://thepander.co.nz/

More information about the thechat mailing list