Date: Tue, 18 Sep 2001 19:26:05 -0700 (PDT) From: Brian Whalen <bri@sonicboom.org> To: Mark Hughes <mark@dvdnews.co.uk> Cc: klein brock <getzz1@yahoo.com>, "Christian S ." <cschreiber@netrail.net>, Matthew Emmerton <matt@gsicomp.on.ca>, <questions@FreeBSD.ORG> Subject: Re: FIREWALL REALLY NEED HELP Message-ID: <20010918192520.D6038-100000@cx175057-a.ocnsd1.sdca.home.com> In-Reply-To: <030301c140b1$09ee3640$0200a8c0@mark2>
next in thread | previous in thread | raw e-mail | index | archive | help
u r correct, see http://www.cert.org/advisories/CA-2001-26.html. These people are likely not directly attacking you, but being unknowing participants in this. Brian "Sonic" Whalen Success = Preparation + Opportunity On Wed, 19 Sep 2001, Mark Hughes wrote: > > not just that.. the ip that attack my server are more > > than 10.000. this is some of them: > > > > 209.8.63.66 - - [18/Sep/2001:17:38:20 -0700] "GET > > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 288 > > 209.8.172.53 - - [18/Sep/2001:17:38:20 -0700] "GET > > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir > > HTTP/1.0" 400 285 > > 209.8.92.226 - - [18/Sep/2001:17:38:20 -0700] "GET > > /scripts/root.exe?/c+dir HTTP/1.0" 404 280 > > 209.8.172.53 - - [18/Sep/2001:17:38:20 -0700] "GET > > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir > > HTTP/1.0" 404 302 > > 209.8.92.226 - - [18/Sep/2001:17:38:21 -0700] "GET > > /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir > > HTTP/1.0" 404 301 > > 209.8.172.53 - - [18/Sep/2001:17:38:21 -0700] "GET > > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir > > HTTP/1.0" 404 302 > > > > it has 216.*.*.* for more than 100 ip, 209.*.*.* more > > than 1000 ips, 205.128.*.* > > > > i really tired of this., it suffer my server for more > > than 1 week.. if anybody can help me ... i would > > appreciate it. they have more than 10.000 ips. > > that all sounds suspiciously like a code red / code blue / nammbaaanada > (sp?) virus that's spread onto an area network and is trying to infect your > machine... > > I could be wrong, what do others think? > > Mark > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010918192520.D6038-100000>