From owner-freebsd-security Wed Feb 3 09:52:48 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA19089 for freebsd-security-outgoing; Wed, 3 Feb 1999 09:52:48 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mta1-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA19074 for ; Wed, 3 Feb 1999 09:52:46 -0800 (PST) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker ([210.55.210.87]) by mta1-rme.xtra.co.nz (InterMail v04.00.02.07 201-227-108) with SMTP id <19990203175238.KHCJ682101.mta1-rme@wocker>; Thu, 4 Feb 1999 06:52:38 +1300 From: "Dan Langille" Organization: The FreeBSD Diary To: Date: Thu, 4 Feb 1999 06:52:35 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: what were these probes? Reply-to: junkmale@xtra.co.nz CC: freebsd-security@FreeBSD.ORG References: <19990202055804.YRQY682101.mta1-rme@wocker> In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.01d) Message-Id: <19990203175238.KHCJ682101.mta1-rme@wocker> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 3 Feb 99, at 10:29, mike@seidata.com wrote: > > Feb 2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com > > Feb 2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com > > No real exploit here... Looks like tcpd is doing it's job. Did you > have the phf script open to world? What version of Apache are you > running? I'd suggest enabling (access.conf) the automatic logging of > phf attempts. Uncomment the following: > > > deny from all > ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi > My cgi-bin directory is empty. And I'm running Apache 1.3 with FP extentions. > > Feb 2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from > > root@ns.cvvm.com [139.142.106.131] > > Feb 2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from > > root@ns.cvvm.com [139.142.106.131] > > As usual, I'd attempt to forward records of these attempts to all > related administrative accounts of cvvm.com (root, hostmaster, names > listed as Whois contacts, etc.). Their system may merely be a hostile > host, or it may be a hacked site being used as a source for more > hacks.... in which case the real admin's may have no clue about > what's going on. This was done. > What version of sendmail are you running? Not sure about the null > connection bit... unless they're just, again, trying to see what > you're running (since older versions were exploit ridden). sendmail 8.9.2 > Good luck... Thanks. > Mike Hoskins FWIW: We have a guy by this name who does our National Radio news. -- Dan Langille The FreeBSD Diary http://www.FreeBSDDiary.com/freebsd To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message