Who is running exploits on my server?

My system has been crashing lately. I think 3 times this week I found it unresponsive or completely locked when coming back from work or trying to log in in the morning. I figured it was my RSS reader crashing and taking down half of the system with it. But when I looked through my apache logs, and I’m not that sure anymore.

I’d say that maybe 20% of the hits I got were my own, or one of the 2-3 people who actually know about that server. I’m not running a website there or anything that I would want to advertise. I have a small wiki that me and my friends used for some project at one point, and not much else. Mostly I keep sshd running so that I can access the machine when I’m not home. Thus, I do not expect to see much traffic on that server…

So I was slightly worried when I saw all these hits. Most of it were usual IIS exploits, and several of those long ass Code Red buffer overflow attempts. I also saw people trying to “double dot” back to my root directory. As far as I know I should be mostly immune to this crap. But you never know – I’m running windows on that box after all.

The sshd crashed twice last week according to the event viewer. Of course that might mean nothing as I’m running it under cygwin and it is not a very stable solution anyway. For the same reason though, it might be exploitable…

So to be safe I just shut down both apache and sshd daemon. I’m closing both of the ports, and removing port forwarding on my router. I need this machine to stay alive so I can do some work. I might need to bring over another box and set up a linux server on it for my casual use.

Sigh… Sometimes the internet pisses me off…

This entry was posted in sysadmin notes and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *