Date: Fri, 17 Aug 2001 01:47:05 -0500 From: "default - Subscriptions" <default013subscriptions@hotmail.com> To: <freebsd-security@freebsd.org> Subject: Fw: Silly crackers... NT is for kids... - DOH! Message-ID: <OE661TZ14eBa1kg3Ams00006ad6@hotmail.com>
next in thread | raw e-mail | index | archive | help
Whoops! As it turns out, I did a bit more research at http://www.eeye.com , and found that this is the CODE RED worm! Wow! This is one mean wormy, well... guess I can at least be relieved that there aren't 5 billion crackers on my I.P. block :) Thanks! Jordan Oh, P.S. If anyone else wants to read up on this, here is what I found: http://www.eeye.com/html/Research/Advisories/AL20010717.html ----- Original Message ----- From: "default - Subscriptions" <default013subscriptions@hotmail.com> To: <freebsd-security@freebsd.org> Sent: Friday, August 17, 2001 1:34 AM Subject: Silly crackers... NT is for kids... > Hi, > > Recently hundreds of I.P. addresses have been attempting to use an NT > exploit on my FreeBSD web server as if it were an NT server... Apache logs > the attack like this: > ci9809-a.ruthfd1.tn.home.com - - [17/Aug/2001:00:53:16 -0500] "GET > /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a > HTTP/1.0" 404 276 "-" "-" > > Here's what security tracker has to say about it: > http://securitytracker.com/alerts/2001/Jun/1001788.html > > Apparently this exploits the indexing service in IIS allowing the cracker to > gain SYSTEM access... > > Now, this does absolutely nothing to my server, as it is a FreeBSD machine > which I believe is decently secure even if the attacks were exploits that > worked on FreeBSD (which they do not). > > I have been receiving so many of these lately, that I must almost assume > that it is one person orchestrating the whole attack in a pathetic attempt > to gain access to my machine. Really all it does is pester me by sucking up > a small percentage of my bandwidth, and system resources... > > My question is: Is this a common attack that script kiddies are using right > now? Are lots of people getting attacked in a similar manner? If so, does > anyone know a place where I could get the binary and source code so that I > can take a look at how it works? And what are the rest of you guys doing > about this if anything? > > I have notified the ISPs of the attackers I.P. ranges (mostly AT&T@Home) but > they have done nothing, and have not even replied to my complaints. I have > resorted to running a cron that blocks these I.P. addresses when they first > show their ugly faces... I know that's kindof anal, but I feel that it is a > good precaution because even if it really is hundreds of people, a couple of > them are bound to get wise eventually and try something smarter... > > Anyway, its really starting to bug me, it has been going on for a couple of > weeks now, and I am nearing a total of 300 I.P. addresses as the sources... > most of which are low security NT servers on a commercial network such as > AT&T@Home, and RoadRunner... > > Thanks, > > Jordan > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OE661TZ14eBa1kg3Ams00006ad6>