From owner-freebsd-questions  Wed Apr  8 22:58:17 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id WAA24545
          for freebsd-questions-outgoing; Wed, 8 Apr 1998 22:58:17 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from dt050n33.san.rr.com (@dt050n33.san.rr.com [204.210.31.51])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA24540
          for <freebsd-questions@freebsd.org>; Wed, 8 Apr 1998 22:58:12 -0700 (PDT)
          (envelope-from Studded@san.rr.com)
Received: from san.rr.com (Studded@localhost [127.0.0.1])
	by dt050n33.san.rr.com (8.8.8/8.8.8) with ESMTP id WAA13352;
	Wed, 8 Apr 1998 22:57:56 -0700 (PDT)
	(envelope-from Studded@san.rr.com)
Message-ID: <352C6364.B76B2E58@san.rr.com>
Date: Wed, 08 Apr 1998 22:57:56 -0700
From: Studded <Studded@san.rr.com>
Organization: Triborough Bridge & Tunnel Authority
X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.6-STABLE-0325 i386)
MIME-Version: 1.0
To: "G.P." <G.P@chatcity.de>
CC: freebsd-questions@FreeBSD.ORG, G.P@yamuna.will.knipp.de
Subject: Re: Strange lines in /var/log/messages
References: <199804090204.EAA26751@yamuna.will.knipp.de>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

G.P. wrote:
> 
> Hi!
> Recently I found a line in our /var/log/messages (running 2.2.5) I never saw
> before:
> Apr  9 00:27:20 <foreign IP> GET ../..
> like
> Apr  9 00:27:20 123.45.67.89 GET ../..

	Same thing happened to one of my customer's systems. Turns out it's
some fifteen year old boy's http exploit that happened to connect to
your open syslog port. If you don't need to accept logs from remote
sites, kill syslogd and restart it with -s. You can also put that flag
in /etc/rc.conf. 

Doug

PS, thanks to those who responded to my previous question on this topic,
I got food poisoning over the weekend and am still catching up.

-- 
***         Chief Operations Officer, DALnet IRC network       ***
*** Proud operator, designer and maintainer of the world's largest
*** Internet Relay Chat server.  5,328 clients and still growing.
*** Try spider.dal.net on ports 6662-4    (Powered by FreeBSD)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message