Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 4 Feb 1999 06:52:35 +1300
From:      "Dan Langille" <junkmale@xtra.co.nz>
To:        <mike@seidata.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: what were these probes?
Message-ID:  <19990203175238.KHCJ682101.mta1-rme@wocker>
In-Reply-To: <Pine.BSF.4.05.9902031021040.15985-100000@ns1.seidata.com>
References:  <19990202055804.YRQY682101.mta1-rme@wocker>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 3 Feb 99, at 10:29, mike@seidata.com wrote:

> > Feb  2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com
> > Feb  2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com
> 
> No real exploit here...  Looks like tcpd is doing it's job.  Did you
> have the phf script open to world?  What version of Apache are you
> running?  I'd suggest enabling (access.conf) the automatic logging of
> phf attempts.  Uncomment the following:
>
> <Location /cgi-bin/phf*>
> deny from all
> ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
> </Location>

My cgi-bin directory is empty.  And I'm running Apache 1.3 with FP 
extentions.

> > Feb  2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from 
> > root@ns.cvvm.com [139.142.106.131]
> > Feb  2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from 
> > root@ns.cvvm.com [139.142.106.131]
> 
> As usual, I'd attempt to forward records of these attempts to all
> related administrative accounts of cvvm.com (root, hostmaster, names
> listed as Whois contacts, etc.).  Their system may merely be a hostile
> host, or it may be a hacked site being used as a source for more
> hacks....  in which case the real admin's may have no clue about
> what's going on.

This was done.

> What version of sendmail are you running?  Not sure about the null
> connection bit...  unless they're just, again, trying to see what
> you're running (since older versions were exploit ridden).

sendmail 8.9.2

> Good luck...

Thanks.

>  Mike Hoskins

FWIW: We have a guy by this name who does our National Radio news.

--
Dan Langille
The FreeBSD Diary
http://www.FreeBSDDiary.com/freebsd

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990203175238.KHCJ682101.mta1-rme>