Date: Thu, 13 Dec 2001 00:48:09 -0500 From: Jim Conner <jconner@enterit.com> To: jacks@sage-american.com Cc: "BSDJunk" <BSDJunk@bzerk.org>, <freebsd-questions@FreeBSD.ORG> Subject: Re: Intruder attempts? Message-ID: <5.1.0.14.0.20011213004311.03082820@mail.enterit.com> In-Reply-To: <3.0.5.32.20011212001857.01078190@mail.sage-american.com> References: <5.1.0.14.0.20011212003317.02b7d320@mail.enterit.com> <048101c18149$ca0363a0$0801a8c0@lan.1729.net> <5.1.0.14.0.20011210014602.04020258@mail.enterit.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 00:18 12.12.2001 -0600, jacks@sage-american.com wrote: >I'm getting pounded with these attempts as well...two different sources: ><snip/> >202.172.44.253 - - [11/Dec/2001:12:14:59 -0600] "GET >/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% >u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a >HTTP/1.0" 400 325 "-" "- > >64.211.41.13 - - [11/Dec/2001:22:50:31 -0600] "GET /scripts/root.exe?/c+dir >HTTP/1.0" 404 283 "-" "-" >64.211.41.13 - - [11/Dec/2001:22:50:31 -0600] "GET /MSADC/root.exe?/c+dir >HTTP/1.0" 404 281 "-" "-" >64.211.41.13 - - [11/Dec/2001:22:50:31 -0600] "GET >/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-" ></snip> This is indicative of an exploit to IIS on NT/2K. >Attacks have been going on for several days on a brand new (experimental) >web site >www.sage-one.net just cranked up a few days ago. Check with http://www.incidents.org and see if anyone else is experiencing similar attacks. Chances are they are and this could be a worm (new or old anyone?). I haven't really kept up with new exploits to IIS but I know that what I am seeing in your logs is not familiar to me (ie code red or Nimda) except for the first line: /default.ida?NNN... This looks a little like code red but its different too. If you are running Apache (and it looks like you are at least not running IIS or else you probably wouldn't be posting to this list) then you should be fine. All I'd look at is the amount of bandwidth that could be being used. - Jim >It's the only thing on the box except a LAN is attached. Not much to get to >that is sensitive except be malicious. > >At 12:35 AM 12.12.2001 -0500, Jim Conner wrote: > >At 08:10 12.10.2001 +0100, BSDJunk wrote: > > > >>Portmap has nothing to do with rsh or rcp. It is needed for NFS servers and > >>for NIS e.g. > > > >Heh, I hate it when I say dumb ie wrong things. :) Thank you for > >correcting me. However, I am still correct that this is an rpc.statd > >exploit. In /etc/rc.conf (/etc/defaults/rc.conf) find rpc_statd_enable and > >make it equal to "NO". > > > > > >>----- Original Message ----- > >>From: "Jim Conner" <jconner@enterit.com> > >>To: <jacks@sage-american.com> > >>Cc: <freebsd-questions@FreeBSD.ORG> > >>Sent: Monday, December 10, 2001 7:46 AM > >>Subject: Re: Intruder attempts? > >> > >> > >> > At 07:58 12.09.2001 -0600, jacks@sage-american.com wrote: > >> > >I've noticed this often on the console of the server and appears to be > >> > >intruder attempts to login: This is just a snipet: > >> > > > >> > ><snip/> > >> > >server1.net kernel log messages: > >> > > > Dec 8 03:41:47 sage-one rpc.statd: invalid hostname to sm_stat: > >> > > >> > >^X\M-w\M^?\M-?^X\M-w\M^?\M-?^Y\M-w\M^?\M-?^Y\M-w\M^?\M-?^Z\M-w\M^?\M-?^Z\M- > >>w > >> > > >> > >\M^?\M-?^[\M-w\M^?\M-?^[\M-w\M^?\M-?%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x > >>% > >> > >n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > >> > ></snip> > >> > > > >> > > >> > This is a bad thing. This is somebody attempting to use a buffer > >>olverflow > >> > exploit against your rpc services. If you don't need them, I > suggest you > >> > turn portmap off. That means that if you don't want or need people > >> > rsh'ing, rcp'ing, etc into your box, turn off portmap. > >> > > >> > - Jim > >> > > >> > > >> > >Best regards, > >> > >Jack L. Stone, > >> > >Server Admin > >> > > > >> > >Sage-American > >> > >http://www.sage-american.com > >> > >jacks@sage-american.com > >> > > > >> > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >> > >with "unsubscribe freebsd-questions" in the body of the message > >> > > >> > > >> > > >> > - Jim > >> > > >> > -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- > >> > http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 > >> > > >> > -----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE > >>BLOCK------ > >> > Version: 0.01 Version: 3.12 > >> > P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- > >> > >++++$O!MA->++++E!> PU-->+++BD C++++(+) UB++++$L++++$S++++$ > >> > $C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ L+++(++++)>+++++$ > >>!E* > >> > +PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- > PS---(-)@ > >>PE > >> > >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP t+(+++)>+++@ > 5- X++ > >>R@ > >> > >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) > >>G(++++) > >> > ------END PERL GEEK CODE BLOCK------ ------END GEEK CODE > BLOCK------ > >> > > >> > > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org > >> > with "unsubscribe freebsd-questions" in the body of the message > >> > > > > > > > > >- Jim > > > >-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- > >http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 > > > >-----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE BLOCK------ > >Version: 0.01 Version: 3.12 > >P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- > > >++++$O!MA->++++E!> PU-->+++BD C++++(+) UB++++$L++++$S++++$ > >$C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ L+++(++++)>+++++$ !E* > >+PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- PS---(-)@ PE > > >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP t+(+++)>+++@ 5- X++ R@ > > >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) G(++++) > >------END PERL GEEK CODE BLOCK------ ------END GEEK CODE BLOCK------ > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-questions" in the body of the message > > > > > >Best regards, >Jack L. Stone, >Server Admin > >Sage-American >http://www.sage-american.com >jacks@sage-american.com - Jim -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 -----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE BLOCK------ Version: 0.01 Version: 3.12 P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- >++++$O!MA->++++E!> PU-->+++BD C++++(+) UB++++$L++++$S++++$ $C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ L+++(++++)>+++++$ !E* +PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- PS---(-)@ PE >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP t+(+++)>+++@ 5- X++ R@ >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) G(++++) ------END PERL GEEK CODE BLOCK------ ------END GEEK CODE BLOCK------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20011213004311.03082820>