From owner-freebsd-stable Mon Mar 25 10:24:16 2002 Delivered-To: freebsd-stable@freebsd.org Received: from smtp017.mail.yahoo.com (smtp017.mail.yahoo.com [216.136.174.114]) by hub.freebsd.org (Postfix) with SMTP id E0DF237B405 for ; Mon, 25 Mar 2002 10:24:08 -0800 (PST) Received: from sgeine (AUTH login) at adsl-63-198-133-39.dsl.lsan03.pacbell.net (HELO edinburgh) (sgeine@63.198.133.39) by smtp.mail.vip.sc5.yahoo.com with SMTP; 25 Mar 2002 18:24:08 -0000 Reply-To: From: "Jesse Geddis" To: "Jarrod Sayers" , "FreeBSD-STABLE" Subject: RE: attempted exploits Date: Mon, 25 Mar 2002 10:24:08 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG wow, this is nuts. getting it from 5 hosts on the same B now lol. seems to propagate quite well. I read through the CERT advisory. seems like a well written worm with many points of access. certainly fills my log files. I feel sorry for all the NT users who have to deal with MS timetable for patches lol -----Original Message----- From: owner-freebsd-stable@FreeBSD.ORG [mailto:owner-freebsd-stable@FreeBSD.ORG]On Behalf Of Jarrod Sayers Sent: Sunday, March 24, 2002 9:58 PM To: 'sgeine@yahoo.com'; FreeBSD-STABLE Subject: RE: attempted exploits Welcome back Nimda! We have noticed a sharp rise in the number of attacks starting over the weekend here. Jarrod Sayers Information Technology Services Unit University of South Australia, Magill Campus. Phone: +61 8 8302 4809 http://people.unisa.edu.au/jarrod.sayers > -----Original Message----- > From: Jesse Geddis [mailto:sgeine@yahoo.com] > Sent: Monday, 25 March 2002 4:23 PM > To: FreeBSD-STABLE > Subject: attempted exploits > > > wow, this person is quite effective. they've been trying this since > this morning 4mins after i got my web server up. been doing it every > half hour for 7 hours lol. trying to execute arbitrary Windows code on > a FreeBSD server! > > [Sun Mar 24 20:41:55 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/scripts/..Á../winnt/system32/cmd.exe > [Sun Mar 24 20:42:05 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/scripts/..À¯../winnt/system32/cmd.exe > [Sun Mar 24 20:42:10 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/scripts/..Á../winnt/system32/cmd.exe > [Sun Mar 24 20:42:29 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/scripts/..%5c../winnt/system32/cmd.exe > [Sun Mar 24 21:13:11 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/scripts/root.exe > [Sun Mar 24 21:13:12 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/MSADC/root.exe > [Sun Mar 24 21:13:13 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/c/winnt/system32/cmd.exe > [Sun Mar 24 21:13:14 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/d/winnt/system32/cmd.exe > [Sun Mar 24 21:13:15 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/scripts/..%5c../winnt/system32/cmd.exe > [Sun Mar 24 21:13:17 2002] [error] [client 63.198.148.139] File does > not exist: > /archive/www/cia/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.e > xe > [Sun Mar 24 21:13:19 2002] [error] [client 63.198.148.139] File does > not exist: > /archive/www/cia/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.e > xe > [Sun Mar 24 21:13:20 2002] [error] [client 63.198.148.139] File does > not exist: > /archive/www/cia/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/s > ystem32 > /cmd.exe > > Jesse Geddis > > > > "My fellow Americans, I've signed legislation that will outlaw Russia > forever. We begin bombing in five minutes." > --Ronald Reagan > > > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message