[Zope] Responding to hackers

Passin, Tom tpassin@mitretek.org
Fri, 25 Oct 2002 11:01:05 -0400


[Dylan Reinhardt]
>=20
> I'm sure we've all seen our servers get scanned repeatedly for=20
> vulnerabilities in other systems.  A quick check through the=20
> error logs=20
> show some obvious examples of this, including requests for:
>=20
> /_vti_bin
> /scripts
> /MSADC
> /MSOFFICE
>=20
> Etc, etc.
>=20
> Almost inevitably, these requests come in bursts, typically=20
> from the same IP.
>=20
> All of these calls are currently getting the customary 404,=20
> but I wonder if=20
> there's anything more intelligent or proactive to be done. =20
> I've thought=20
> about building myself a hosts-deny kind of solution using=20
> external methods,=20
> but I'm not sure that's necessarily going to save me very=20
> many cycles in=20
> the long run.
>=20

Trouble is, the same infected computer does not usually return to your
server all that often, and there are a lot of infected computers out
there.  I do not think it is normally much of a problem.  You get a
little burst, then later another little burst.  Not that much traffic,
at least as things stand now.  No worse than serving a page with a haalf
a dozen images in it, which lots of people do.

Of course, a new worm could change the picture tomorrow...

Cheers,

Tom p