Date: Fri, 17 Aug 2001 08:26:15 -0700 From: randall ehren <randall@isber.ucsb.edu> To: freebsd-security@freebsd.org Cc: Steve McGhee <stevem@redigital.com> Subject: Re: [Fwd: Silly crackers... NT is for kids...] Message-ID: <3B7D3797.ED5ED033@isber.ucsb.edu> References: <3B7D33B0.E584E835@lmri.ucsb.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
hey, i have several freebsd web servers getting attacked all day long. they are basically hitting anything with port 80 open (hp jet admin boxes as well) it may not be the most polite thing, and i have yet to test it, but there are a few people making little scripts to "get back" at them... http://members.shaw.ca/jobeus/codered.htm is one example. there was a post on slashdot.org a few days back with another version... http://www.dasbistro.com/default_ida_info.html the article was: http://slashdot.org/article.pl?sid=01/08/11/1420207&mode=nested -- - randall s. ehren -=- 805 893-5632 system administrator -=- isber.ucsb.edu institute for social, behavioral, and economic research randall.cell@isber.ucsb.edu freebsd-security@freebsd.org > > Recently hundreds of I.P. addresses have been attempting to use an NT > exploit on my FreeBSD web server as if it were an NT server... Apache > logs > the attack like this: > ci9809-a.ruthfd1.tn.home.com - - [17/Aug/2001:00:53:16 -0500] "GET > /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a > HTTP/1.0" 404 276 "-" "-" > > > I have been receiving so many of these lately, that I must almost assume > that it is one person orchestrating the whole attack in a pathetic > attempt > to gain access to my machine. Really all it does is pester me by sucking > up > a small percentage of my bandwidth, and system resources... > > My question is: Is this a common attack that script kiddies are using > right > now? Are lots of people getting attacked in a similar manner? If so, > does > anyone know a place where I could get the binary and source code so that > I > can take a look at how it works? And what are the rest of you guys doing > about this if anything? > > I have notified the ISPs of the attackers I.P. ranges (mostly AT&T@Home) > but > they have done nothing, and have not even replied to my complaints. I > have > resorted to running a cron that blocks these I.P. addresses when they > first > show their ugly faces... I know that's kindof anal, but I feel that it > is a > good precaution because even if it really is hundreds of people, a > couple of > them are bound to get wise eventually and try something smarter... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B7D3797.ED5ED033>