Date: Sat, 18 Aug 2001 02:30:30 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: default - Subscriptions <default013subscriptions@hotmail.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Silly crackers... NT is for kids... Message-ID: <Pine.BSF.3.96.1010818012100.9908C-100000@gaia.nimnet.asn.au> In-Reply-To: <OE41KHmj9n1xxWn9R6m0000d975@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 17 Aug 2001, default - Subscriptions wrote:
I see you've now been brought up to speed, but you can do little things!
[.. cut to bits ..]
> Recently hundreds of I.P. addresses have been attempting to use an NT
> exploit on my FreeBSD web server as if it were an NT server... Apache logs
Hundreds of thousands, some say. Still quite a few pumping away ..
> HTTP/1.0" 404 276 "-" "-"
note 276 byte response; you can save some on that .. or send 'em more!
> to gain access to my machine. Really all it does is pester me by sucking up
> a small percentage of my bandwidth, and system resources...
I'd added an ipfw rule, after allowing access to the valid webserver IPs
within our public subnet but before mass denial for protected and unused
IPS, just to get an idea of the scope of it:
# ipfw add 62612 deny log tcp from any to ${us}/26 80 in recv ${oif} setup
After about a fortnight, just the requests to 50-odd non-webserving IPs:
# ipfw -t show | grep 62612
62612 180299 8675060 Sat Aug 18 01:08:59 2001 [deny as above ..]
and we're just a little crew on a permanent 56k modem connection. we're
up for a couple of dollars for that lot, but it's not worth suing ..
> can take a look at how it works? And what are the rest of you guys doing
> about this if anything?
I got bored with various httpd-error.log rolling over daily instead of
more often monthly, so decided to feed the ravaging monster something:
# pwd
/usr/local/www/data
# ll *ida; cat *ida
-rw-r--r-- 1 root wheel 64 Aug 8 07:47 default.ida
Bad luck using that costly, broken, closed-source m$ webserver!
and now have back useful error.logs, and have reduced outbound traffic,
not that that costs us, by about 75% of the 404 response, no big deal.
Didn't even bother giving .ida a MIME type, it just went .. now get:
203.75.142.254 - - [18/Aug/2001:00:21:04 +1000] "GET /default.ida?X
[..] HTTP/1.0" 200 64 "-" "-"
Still have to grep these out or exclude 'em from log analysis, boring ..
> I have notified the ISPs of the attackers I.P. ranges (mostly AT&T@Home) but
> they have done nothing, and have not even replied to my complaints. I have
Happy hunting! :-)
Ian
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1010818012100.9908C-100000>