Date: Fri, 17 Aug 2001 16:45:36 +1000 From: "Andrew Dean" <ferni@shafted.com.au> To: <freebsd-security@freebsd.org> Subject: Re: Silly crackers... NT is for kids... Message-ID: <004701c126e8$38d006b0$240aa8c0@fernilaptop> References: <OE41KHmj9n1xxWn9R6m0000d975@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Isn't that the code red worm? *feels dumb* ----- Original Message ----- From: "default - Subscriptions" <default013subscriptions@hotmail.com> To: <freebsd-security@freebsd.org> Sent: Friday, August 17, 2001 4:34 PM Subject: Silly crackers... NT is for kids... > Hi, > > Recently hundreds of I.P. addresses have been attempting to use an NT > exploit on my FreeBSD web server as if it were an NT server... Apache logs > the attack like this: > ci9809-a.ruthfd1.tn.home.com - - [17/Aug/2001:00:53:16 -0500] "GET > /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a > HTTP/1.0" 404 276 "-" "-" > > Here's what security tracker has to say about it: > http://securitytracker.com/alerts/2001/Jun/1001788.html > > Apparently this exploits the indexing service in IIS allowing the cracker to > gain SYSTEM access... > > Now, this does absolutely nothing to my server, as it is a FreeBSD machine > which I believe is decently secure even if the attacks were exploits that > worked on FreeBSD (which they do not). > > I have been receiving so many of these lately, that I must almost assume > that it is one person orchestrating the whole attack in a pathetic attempt > to gain access to my machine. Really all it does is pester me by sucking up > a small percentage of my bandwidth, and system resources... > > My question is: Is this a common attack that script kiddies are using right > now? Are lots of people getting attacked in a similar manner? If so, does > anyone know a place where I could get the binary and source code so that I > can take a look at how it works? And what are the rest of you guys doing > about this if anything? > > I have notified the ISPs of the attackers I.P. ranges (mostly AT&T@Home) but > they have done nothing, and have not even replied to my complaints. I have > resorted to running a cron that blocks these I.P. addresses when they first > show their ugly faces... I know that's kindof anal, but I feel that it is a > good precaution because even if it really is hundreds of people, a couple of > them are bound to get wise eventually and try something smarter... > > Anyway, its really starting to bug me, it has been going on for a couple of > weeks now, and I am nearing a total of 300 I.P. addresses as the sources... > most of which are low security NT servers on a commercial network such as > AT&T@Home, and RoadRunner... > > Thanks, > > Jordan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004701c126e8$38d006b0$240aa8c0>