This is another example of what I think ought to be in this echo.
If it is not I'll gladly post it elsewhere..
OK, so I have Apache up an running for test purposes against an available Port 80 system. It's up for test on my temporarily chosen hardware box for my fixed
address how-to-do-all-this learning.
But gee. Courtesy of WN32/Nimda.A, one of the ports I've had to consider dumping is Port 80. On this cable broadband system, I'm now being dosed with an more or less minimum of a Port 80 hammer probe every single minute of the day!
During the research on the successful NETBIOS over TCP/IP that we still do not really know was that or pure NETBIOS and just Port 137/138 shifted to Port 139 and Nimda.A dumping tons of files on me, I also took a look at Port 80 scans, as well as Port 25, 26, and a bunch of others.
I set up IJFIRE to drop these probe packets and log them so I could analyze the
whambo profile. In my case, a minimum of about 130 discrete systems octet addresses are whamming me a day. During new variant assaults, this number rises to about 4000 hits per day from over 250 different systems per my research here. My research indicates also that approximately 95% of the current attack profile is coming from my own IP providers WAN, from different cities on it all over the USA and these are allegedly Port 80 probes. Interesting.
I can take rather large samples of the octets from the logs and look back to them with HOST. They will be reported back as not resolvable to a name. To me that suggests that these might be spoofed addresses. Some of them do come back
as nameable .. to the various city-nets for this IP, which is the COX system, BTW. As earlier noted, a few come from outside COX. In both cases of the Port
139 NETBIOS infection runs, the packets were IPTRACED and IPFORMAT demonstrated
to have come from a box .. in my own city-net ., for the COX system, However I
never got to catch the perp at the onset of the infection with IPTRACE to get us a look at the magic cookie and so on. Tooling up to try and snare that with a spare box is both a thought to Lee Aroner's honeypot name for it .. or .. maybe to the box that hosts to new Apache test server if I dare. I dunno yet.
But more focally here for this echo ..
What should be my OS2INST game plan for using APACHE, for a start? Consider that obviously, Port 80 has to be opened up and incoming packets cannot be dumped if I ever want to use an HTML server on my fixed address?
Can someone begin the teaching process here on how to best use OS/2 for an INTERNET SERVER operation and minimize the risk from this new round of HTML server attacks? I really do not want my simple humble web page to receive a graceful JAVA snip appendage in it that goes off trying to do something it can't do in OS/2, but doesn't know that anyway!
How do we best become Web Empresario's all here?
And after we do that with APACHE, how does all this play out with the formal IBM offerings for same? I have a DEVCON subscription. Surely goodness and mercy will follow all thise HUNDREDS of CD-ROM disks all the rest of my life somehow, no?
;)
Thank you!
Sleep well; OS/2's still awake! ;)
Mike @ 1:117/3001
--- Maximus/2 3.01
* Origin: Ziplog Public Port (1:117/3001)