Sometime Today, Siddhesh Poyarekar assembled some asciibets to say:
10.10.180.2 - - [08/Feb/2004:17:47:37 +0530] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3 %u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 271 "-" "-"
nimda - harmless, affects MS IIS.
211.161.172.142 - - [09/Feb/2004:02:09:45 +0530] "CONNECT 211.150.96.21:25 HTTP/1.1" 405 313 "-" "-"
you have an open relay - serious problem, solution below
From what I know, in Part 1, someone is trying to cause some kind of overflow with the request string and in part 2 someone is trying to access another system's SMTP port through my web server.
right
What I want to know is that is it possible to know whether the cracker was successful in his attempts and secondly, how much of a threat this is to me.
In this case the attack was from a windows worm known as WIN32.NIMDA. It affects MS IIS web servers. The only effect it will have on you is decreased performance because of increased server load (your server has to serve 404 responses). You can block the IP addresses that hit you with this, but you'll have to do this actively.
And also, is there a way to identify a network (location, names, etc) from its IP address. I'd like to track this guy down to find out who he is.
Use whois to find out the network. Then send a mail to the network admin.
For your second problem, that of the open relay, add this to your httpd.conf file:
<Location /> <LimitExcept HEAD GET POST PUT> Order deny,allow deny from all </LimitExcept> </Location>