From owner-freebsd-questions Sat Oct 20 14:45:42 2001 Delivered-To: freebsd-questions@freebsd.org Received: from smtp012.mail.yahoo.com (smtp012.mail.yahoo.com [216.136.173.32]) by hub.freebsd.org (Postfix) with SMTP id 4171737B401 for ; Sat, 20 Oct 2001 14:45:37 -0700 (PDT) Received: from c1901821-a.oklwn1.il.home.com (HELO wood) (24.12.129.253) by smtp.mail.vip.sc5.yahoo.com with SMTP; 20 Oct 2001 21:45:37 -0000 X-Apparently-From: From: "Adam Wood" To: Subject: RE: attackers! How do I know whether or not they were successful? Date: Sat, 20 Oct 2001 16:45:48 -0500 Message-ID: <000001c159b0$95518b70$01000001@wood> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3311 Importance: Normal In-Reply-To: <5.0.2.1.0.20011020141127.00a191b0@netmail.home.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG RE: attackers! How do I know whether or not they were successful? I noticed in my logs what appears to be an attempt to try a buffer overflow in my apache logs. I've included the excerpts from my logs below for reference. My questions: >>1) I haven't opened up port 80 with my firewall. How did they connect? Is there a problem with my rules? (I've >>included those below for reference as well) I don't see a rule similar to the default "65535 deny ip from any to any" at the end of your ruleset to block any packets not accounted for by the preceding rules. That may be it, but I'm new to freebsd, so I'll defer that question to the more experienced users. >>2) How can I tell how successful the attempt was? The attempt was not successful, since you do not have a default.ida file on your system, thus there is nothing to exploit. >>3) Any ideas what the attempt was trying to do? Is this a known exploit? Where would I find out? This is a scan from a windows machine infected with the Code Red worm. It is trying to exploit a known hole in the Indexing Service DLL used by Microsoft's POS, ahem, I mean IIS server software package. You're not affected since you run FreeBSD. More info at http://www.cert.org/advisories/CA-2001-19.html >>4) What do I do now? Anything else I should do? You don't need to worry about this, as Apache is simply replying with the "...malformed Host header" or a "file does not exist" error message. The @home network is full of these kinds of machines that have yet to be patched, so the only potential problem is your logs getting too big and filling up the partition you have them on. I think there are some tools that will reject this type of request, as well as those generated by the sequel to this worm (Code Red II), and the newer, nastier Nimda worm. Anyone know of any off hand? Thanks for all your help in this. Mike Notes: I have FreeBSD 4.4 recently installed from an iso image. My Firewall Rules: block in on dc0 block in log quick on dc0 from 192.168.0.0/16 to any block in log quick on dc0 from 172.16.0.0/12 to any block in log quick on dc0 from 10.0.0.0/8 to any block in log quick on dc0 from 127.0.0.0/8 to any block in log quick on dc0 from /32 to any # allow my own network stuff to get out pass out quick on dc0 proto tcp/udp from 192.168.0.0/24 to any keep state pass out quick on dc0 proto icmp from 192.168.0.0/24 to any keep state pass out quick on dc0 proto tcp/udp from /32 to any keep state httpd-error contents: [Sat Oct 19 13:25:07 2001] [error] [client 131.123.8.178] Client sent malformed Host header httpd-access contents: 131.123.8.178 - - [19/Oct/2001:13:25:07 -0700] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0 078%u0000%u00=a HTTP/1.0" 400 341 "-" "-" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message