Date: Thu, 13 Dec 2001 08:03:07 -0600 From: jacks@sage-american.com To: Kent Stewart <kstewart@owt.com>, Jim Conner <jconner@enterit.com> Cc: BSDJunk <BSDJunk@bzerk.org>, freebsd-questions@FreeBSD.ORG Subject: Re: Intruder attempts? Message-ID: <3.0.5.32.20011213080307.03dc67c8@mail.sage-american.com> In-Reply-To: <3C188C19.5070906@owt.com> References: <5.1.0.14.0.20011212003317.02b7d320@mail.enterit.com> <048101c18149$ca0363a0$0801a8c0@lan.1729.net> <5.1.0.14.0.20011210014602.04020258@mail.enterit.com> <5.1.0.14.0.20011213004311.03082820@mail.enterit.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Yeah, I'm running FreeBSD 4.4-STABLE with latest Apache from ports. It looks clear that they are bouncing off thanks to FBSD. Just amazing how many login attempts are made too... then the warez kids already left footprints in FTP incoming (secured)... The new web site is only about a week old and just building, tightening security and have logs on rotation. The ipfw/natd log almost caught me off-guard when it almost filled /var in a single day! That's now capped in the newsyslog rotation... these attacks were so instant, I barely had time to configure some of these things... that's why I have no useful content there until the security is better. Then will start to migrate a number of hosts now running on a dedicated BSDi server from a remote as I test and tweak each type of setup as the needs vary including some with large majordomo mail lists one with a complicated custom authentication setup. Suspect time is of essence since I have been on that BSDi server for several years, it's getting old and am being pushed to upgrade to a system I don't want (requiring reconfigs of things, plus learning curve). My alternative is to bring each host inhouse one at a time and ultimately have total control. Fibre lines are being laid in this area now which is good timing for the ones with the large bandwidth needs. Am VERY happy with FreeBSD and that was a good move! Thanks for the feedback from everyone... the progress toward this objective has been reasonably painless thanks in part to the help from so many good folks on this list. In fact, this has been fun.... but, much yet to do.... later. At 03:08 AM 12.13.2001 -0800, Kent Stewart wrote: > > >Jim Conner wrote: > >> At 00:18 12.12.2001 -0600, jacks@sage-american.com wrote: >> >>> I'm getting pounded with these attempts as well...two different sources: >>> <snip/> >>> 202.172.44.253 - - [11/Dec/2001:12:14:59 -0600] "GET >>> /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >>> >>> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >>> >>> NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN >>> >>> NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% >>> >>> u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a >>> HTTP/1.0" 400 325 "-" "- > > >You are getting hit by multiple attempts. The first is Code Red I and >the second is Nimda. Some people have scripts that you can install for >Apache to kept this stuff from overflowing your httpd-??.log > >One of the places to check on MS oriented virus/worms is >http://www.cert.org/. They identify and give you a link to a fix. They >have one there for System V and HP-UX, so it isn't just MS. > >Kent > > >>> >>> 64.211.41.13 - - [11/Dec/2001:22:50:31 -0600] "GET >>> /scripts/root.exe?/c+dir >>> HTTP/1.0" 404 283 "-" "-" >>> 64.211.41.13 - - [11/Dec/2001:22:50:31 -0600] "GET /MSADC/root.exe?/c+dir >>> HTTP/1.0" 404 281 "-" "-" >>> 64.211.41.13 - - [11/Dec/2001:22:50:31 -0600] "GET >>> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-" >>> </snip> >> >> >> This is indicative of an exploit to IIS on NT/2K. >> >>> Attacks have been going on for several days on a brand new (experimental) >>> web site >>> www.sage-one.net just cranked up a few days ago. >> >> >> Check with http://www.incidents.org and see if anyone else is >> experiencing similar attacks. Chances are they are and this could be a >> worm (new or old anyone?). I haven't really kept up with new exploits >> to IIS but I know that what I am seeing in your logs is not familiar to >> me (ie code red or Nimda) except for the first line: >> /default.ida?NNN... This looks a little like code red but its different >> too. If you are running Apache (and it looks like you are at least not >> running IIS or else you probably wouldn't be posting to this list) then >> you should be fine. All I'd look at is the amount of bandwidth that >> could be being used. >> >> - Jim >> >>> It's the only thing on the box except a LAN is attached. Not much to >>> get to >>> that is sensitive except be malicious. >>> >>> At 12:35 AM 12.12.2001 -0500, Jim Conner wrote: >>> >At 08:10 12.10.2001 +0100, BSDJunk wrote: >>> > >>> >>Portmap has nothing to do with rsh or rcp. It is needed for NFS >>> servers and >>> >>for NIS e.g. >>> > >>> >Heh, I hate it when I say dumb ie wrong things. :) Thank you for >>> >correcting me. However, I am still correct that this is an rpc.statd >>> >exploit. In /etc/rc.conf (/etc/defaults/rc.conf) find >>> rpc_statd_enable and >>> >make it equal to "NO". >>> > >>> > >>> >>----- Original Message ----- >>> >>From: "Jim Conner" <jconner@enterit.com> >>> >>To: <jacks@sage-american.com> >>> >>Cc: <freebsd-questions@FreeBSD.ORG> >>> >>Sent: Monday, December 10, 2001 7:46 AM >>> >>Subject: Re: Intruder attempts? >>> >> >>> >> >>> >> > At 07:58 12.09.2001 -0600, jacks@sage-american.com wrote: >>> >> > >I've noticed this often on the console of the server and appears >>> to be >>> >> > >intruder attempts to login: This is just a snipet: >>> >> > > >>> >> > ><snip/> >>> >> > >server1.net kernel log messages: >>> >> > > > Dec 8 03:41:47 sage-one rpc.statd: invalid hostname to sm_stat: >>> >> > >>> >> >>> >^X\M-w\M^?\M-?^X\M-w\M^?\M-?^Y\M-w\M^?\M-?^Y\M-w\M^?\M-?^Z\M-w\M^?\M-?^Z\M- >>> >>> >>w >>> >> > >>> >> >>> >\M^?\M-?^[\M-w\M^?\M-?^[\M-w\M^?\M-?%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x >>> >>> >>% >>> >> > >n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P >>> >> > ></snip> >>> >> > > >>> >> > >>> >> > This is a bad thing. This is somebody attempting to use a buffer >>> >>olverflow >>> >> > exploit against your rpc services. If you don't need them, I >>> suggest you >>> >> > turn portmap off. That means that if you don't want or need people >>> >> > rsh'ing, rcp'ing, etc into your box, turn off portmap. >>> >> > >>> >> > - Jim >>> >> > >>> >> > >>> >> > >Best regards, >>> >> > >Jack L. Stone, >>> >> > >Server Admin >>> >> > > >>> >> > >Sage-American >>> >> > >http://www.sage-american.com >>> >> > >jacks@sage-american.com >>> >> > > >>> >> > >To Unsubscribe: send mail to majordomo@FreeBSD.org >>> >> > >with "unsubscribe freebsd-questions" in the body of the message >>> >> > >>> >> > >>> >> > >>> >> > - Jim >>> >> > >>> >> > -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- >>> >> > http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 >>> >> > >>> >> > -----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE >>> >>BLOCK------ >>> >> > Version: 0.01 Version: 3.12 >>> >> > P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- >>> >> > >++++$O!MA->++++E!> PU-->+++BD C++++(+) >>> UB++++$L++++$S++++$ >>> >> > $C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ >>> L+++(++++)>+++++$ >>> >>!E* >>> >> > +PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- >>> PS---(-)@ >>> >>PE >>> >> > >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP >>> t+(+++)>+++@ 5- X++ >>> >>R@ >>> >> > >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) >>> >>G(++++) >>> >> > ------END PERL GEEK CODE BLOCK------ ------END GEEK CODE >>> BLOCK------ >>> >> > >>> >> > >>> >> > To Unsubscribe: send mail to majordomo@FreeBSD.org >>> >> > with "unsubscribe freebsd-questions" in the body of the message >>> >> > >>> > >>> > >>> > >>> >- Jim >>> > >>> >-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- >>> >http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 >>> > >>> >-----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE >>> BLOCK------ >>> >Version: 0.01 Version: 3.12 >>> >P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- >>> > >++++$O!MA->++++E!> PU-->+++BD C++++(+) UB++++$L++++$S++++$ >>> >$C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ >>> L+++(++++)>+++++$ !E* >>> >+PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- >>> PS---(-)@ PE >>> > >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP t+(+++)>+++@ 5- >>> X++ R@ >>> > >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) >>> G(++++) >>> >------END PERL GEEK CODE BLOCK------ ------END GEEK CODE >>> BLOCK------ >>> > >>> > >>> >To Unsubscribe: send mail to majordomo@FreeBSD.org >>> >with "unsubscribe freebsd-questions" in the body of the message >>> > >>> > >>> >>> Best regards, >>> Jack L. Stone, >>> Server Admin >>> >>> Sage-American >>> http://www.sage-american.com >>> jacks@sage-american.com >> >> >> >> >> - Jim >> >> -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- >> http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 >> >> -----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE BLOCK------ >> Version: 0.01 Version: 3.12 >> P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- >> >++++$O!MA->++++E!> PU-->+++BD C++++(+) UB++++$L++++$S++++$ >> $C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ L+++(++++)>+++++$ >> !E* >> +PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- >> PS---(-)@ PE >> >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP t+(+++)>+++@ 5- >> X++ R@ >> >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) G(++++) >> ------END PERL GEEK CODE BLOCK------ ------END GEEK CODE BLOCK------ >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-questions" in the body of the message >> >> . >> > > >-- >Kent Stewart >Richland, WA > >mailto:kbstew99@hotmail.com >http://users.owt.com/kstewart/index.html >FreeBSD News http://daily.daemonnews.org/ > > > Best regards, Jack L. Stone, Server Admin Sage-American http://www.sage-american.com jacks@sage-american.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20011213080307.03dc67c8>