From owner-freebsd-questions Thu Dec 13 3:10: 8 2001 Delivered-To: freebsd-questions@freebsd.org Received: from rutger.owt.com (rutger.owt.com [204.118.6.16]) by hub.freebsd.org (Postfix) with ESMTP id 5473437B417 for ; Thu, 13 Dec 2001 03:09:53 -0800 (PST) Received: from owt.com (owt-207-41-94-232.owt.com [207.41.94.232]) by rutger.owt.com (8.9.3/8.9.3) with ESMTP id DAA25088; Thu, 13 Dec 2001 03:08:09 -0800 Message-ID: <3C188C19.5070906@owt.com> Date: Thu, 13 Dec 2001 03:08:09 -0800 From: Kent Stewart User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1 X-Accept-Language: en-us MIME-Version: 1.0 To: Jim Conner Cc: jacks@sage-american.com, BSDJunk , freebsd-questions@FreeBSD.ORG Subject: Re: Intruder attempts? References: <5.1.0.14.0.20011212003317.02b7d320@mail.enterit.com> <048101c18149$ca0363a0$0801a8c0@lan.1729.net> <5.1.0.14.0.20011210014602.04020258@mail.enterit.com> <5.1.0.14.0.20011213004311.03082820@mail.enterit.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Jim Conner wrote: > At 00:18 12.12.2001 -0600, jacks@sage-american.com wrote: > >> I'm getting pounded with these attempts as well...two different sources: >> >> 202.172.44.253 - - [11/Dec/2001:12:14:59 -0600] "GET >> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >> >> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >> >> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >> >> NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% >> >> u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a >> HTTP/1.0" 400 325 "-" "- You are getting hit by multiple attempts. The first is Code Red I and the second is Nimda. Some people have scripts that you can install for Apache to kept this stuff from overflowing your httpd-??.log One of the places to check on MS oriented virus/worms is http://www.cert.org/. They identify and give you a link to a fix. They have one there for System V and HP-UX, so it isn't just MS. Kent >> >> 64.211.41.13 - - [11/Dec/2001:22:50:31 -0600] "GET >> /scripts/root.exe?/c+dir >> HTTP/1.0" 404 283 "-" "-" >> 64.211.41.13 - - [11/Dec/2001:22:50:31 -0600] "GET /MSADC/root.exe?/c+dir >> HTTP/1.0" 404 281 "-" "-" >> 64.211.41.13 - - [11/Dec/2001:22:50:31 -0600] "GET >> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-" >> > > > This is indicative of an exploit to IIS on NT/2K. > >> Attacks have been going on for several days on a brand new (experimental) >> web site >> www.sage-one.net just cranked up a few days ago. > > > Check with http://www.incidents.org and see if anyone else is > experiencing similar attacks. Chances are they are and this could be a > worm (new or old anyone?). I haven't really kept up with new exploits > to IIS but I know that what I am seeing in your logs is not familiar to > me (ie code red or Nimda) except for the first line: > /default.ida?NNN... This looks a little like code red but its different > too. If you are running Apache (and it looks like you are at least not > running IIS or else you probably wouldn't be posting to this list) then > you should be fine. All I'd look at is the amount of bandwidth that > could be being used. > > - Jim > >> It's the only thing on the box except a LAN is attached. Not much to >> get to >> that is sensitive except be malicious. >> >> At 12:35 AM 12.12.2001 -0500, Jim Conner wrote: >> >At 08:10 12.10.2001 +0100, BSDJunk wrote: >> > >> >>Portmap has nothing to do with rsh or rcp. It is needed for NFS >> servers and >> >>for NIS e.g. >> > >> >Heh, I hate it when I say dumb ie wrong things. :) Thank you for >> >correcting me. However, I am still correct that this is an rpc.statd >> >exploit. In /etc/rc.conf (/etc/defaults/rc.conf) find >> rpc_statd_enable and >> >make it equal to "NO". >> > >> > >> >>----- Original Message ----- >> >>From: "Jim Conner" >> >>To: >> >>Cc: >> >>Sent: Monday, December 10, 2001 7:46 AM >> >>Subject: Re: Intruder attempts? >> >> >> >> >> >> > At 07:58 12.09.2001 -0600, jacks@sage-american.com wrote: >> >> > >I've noticed this often on the console of the server and appears >> to be >> >> > >intruder attempts to login: This is just a snipet: >> >> > > >> >> > > >> >> > >server1.net kernel log messages: >> >> > > > Dec 8 03:41:47 sage-one rpc.statd: invalid hostname to sm_stat: >> >> > >> >> >> >^X\M-w\M^?\M-?^X\M-w\M^?\M-?^Y\M-w\M^?\M-?^Y\M-w\M^?\M-?^Z\M-w\M^?\M-?^Z\M- >> >> >>w >> >> > >> >> >> >\M^?\M-?^[\M-w\M^?\M-?^[\M-w\M^?\M-?%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x >> >> >>% >> >> > >n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P >> >> > > >> >> > > >> >> > >> >> > This is a bad thing. This is somebody attempting to use a buffer >> >>olverflow >> >> > exploit against your rpc services. If you don't need them, I >> suggest you >> >> > turn portmap off. That means that if you don't want or need people >> >> > rsh'ing, rcp'ing, etc into your box, turn off portmap. >> >> > >> >> > - Jim >> >> > >> >> > >> >> > >Best regards, >> >> > >Jack L. Stone, >> >> > >Server Admin >> >> > > >> >> > >Sage-American >> >> > >http://www.sage-american.com >> >> > >jacks@sage-american.com >> >> > > >> >> > >To Unsubscribe: send mail to majordomo@FreeBSD.org >> >> > >with "unsubscribe freebsd-questions" in the body of the message >> >> > >> >> > >> >> > >> >> > - Jim >> >> > >> >> > -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- >> >> > http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 >> >> > >> >> > -----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE >> >>BLOCK------ >> >> > Version: 0.01 Version: 3.12 >> >> > P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- >> >> > >++++$O!MA->++++E!> PU-->+++BD C++++(+) >> UB++++$L++++$S++++$ >> >> > $C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ >> L+++(++++)>+++++$ >> >>!E* >> >> > +PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- >> PS---(-)@ >> >>PE >> >> > >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP >> t+(+++)>+++@ 5- X++ >> >>R@ >> >> > >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) >> >>G(++++) >> >> > ------END PERL GEEK CODE BLOCK------ ------END GEEK CODE >> BLOCK------ >> >> > >> >> > >> >> > To Unsubscribe: send mail to majordomo@FreeBSD.org >> >> > with "unsubscribe freebsd-questions" in the body of the message >> >> > >> > >> > >> > >> >- Jim >> > >> >-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- >> >http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 >> > >> >-----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE >> BLOCK------ >> >Version: 0.01 Version: 3.12 >> >P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- >> > >++++$O!MA->++++E!> PU-->+++BD C++++(+) UB++++$L++++$S++++$ >> >$C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ >> L+++(++++)>+++++$ !E* >> >+PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- >> PS---(-)@ PE >> > >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP t+(+++)>+++@ 5- >> X++ R@ >> > >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) >> G(++++) >> >------END PERL GEEK CODE BLOCK------ ------END GEEK CODE >> BLOCK------ >> > >> > >> >To Unsubscribe: send mail to majordomo@FreeBSD.org >> >with "unsubscribe freebsd-questions" in the body of the message >> > >> > >> >> Best regards, >> Jack L. Stone, >> Server Admin >> >> Sage-American >> http://www.sage-american.com >> jacks@sage-american.com > > > > > - Jim > > -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- > http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 > > -----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE BLOCK------ > Version: 0.01 Version: 3.12 > P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- > >++++$O!MA->++++E!> PU-->+++BD C++++(+) UB++++$L++++$S++++$ > $C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ L+++(++++)>+++++$ > !E* > +PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- > PS---(-)@ PE > >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP t+(+++)>+++@ 5- > X++ R@ > >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) G(++++) > ------END PERL GEEK CODE BLOCK------ ------END GEEK CODE BLOCK------ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > . > -- Kent Stewart Richland, WA mailto:kbstew99@hotmail.com http://users.owt.com/kstewart/index.html FreeBSD News http://daily.daemonnews.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message