From owner-freebsd-questions Sat Oct 20 14:36:57 2001 Delivered-To: freebsd-questions@freebsd.org Received: from rutger.owt.com (rutger.owt.com [204.118.6.16]) by hub.freebsd.org (Postfix) with ESMTP id 4805037B401 for ; Sat, 20 Oct 2001 14:36:52 -0700 (PDT) Received: from oneworld.owt.com (oneworld.owt.com [204.118.6.2]) by rutger.owt.com (8.9.3/8.9.3) with ESMTP id OAA29228; Sat, 20 Oct 2001 14:36:51 -0700 Received: from owt.com (owt-207-41-94-232.owt.com [207.41.94.232]) by oneworld.owt.com (8.11.4/8.11.4) with ESMTP id f9KLaoU17944; Sat, 20 Oct 2001 14:36:50 -0700 Message-ID: <3BD1EE70.DF489FD1@owt.com> Date: Sat, 20 Oct 2001 14:36:48 -0700 From: Kent Stewart X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Michael MacKinnon Cc: freebsd-questions@FreeBSD.ORG Subject: Re: attackers! How do I know whether or not they were successful? References: <20011019105246.Q38148-100000@teak.adhesivemedia.com> <5.0.2.1.0.20011020141127.00a191b0@netmail.home.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Michael MacKinnon wrote: > > I noticed in my logs what appears to be an attempt to try a buffer overflow > in my apache logs. > I've included the excerpts from my logs below for reference. > > My questions: > 1) I haven't opened up port 80 with my firewall. How did they connect? Is there > a problem with my rules? (I've included those below for reference as well) Don't use that firewall. > > 2) How can I tell how successful the attempt was? It wasn't it is an MS IIS exploit. > > 3) Any ideas what the attempt was trying to do? Is this a known exploit? Where > would I find out? Visit http://www.cert.org/advisories/CA-2001-19.html > > 4) What do I do now? Anything else I should do? Email the site and tell them they are running code-red or ignore it. You should be seeing 100's of Nimda hits and 1 attempt by code-red is microscopic. Kent > > Thanks for all your help in this. > Mike > > Notes: > I have FreeBSD 4.4 recently installed from an iso image. > > My Firewall Rules: > block in on dc0 > block in log quick on dc0 from 192.168.0.0/16 to any > block in log quick on dc0 from 172.16.0.0/12 to any > block in log quick on dc0 from 10.0.0.0/8 to any > block in log quick on dc0 from 127.0.0.0/8 to any > block in log quick on dc0 from /32 to any > # allow my own network stuff to get out > pass out quick on dc0 proto tcp/udp from 192.168.0.0/24 to any keep state > pass out quick on dc0 proto icmp from 192.168.0.0/24 to any keep state > pass out quick on dc0 proto tcp/udp from /32 to any keep > state > > httpd-error contents: > [Sat Oct 19 13:25:07 2001] [error] [client 131.123.8.178] Client sent > malformed Host header > > httpd-access contents: > 131.123.8.178 - - [19/Oct/2001:13:25:07 -0700] "GET > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a > HTTP/1.0" 400 341 "-" "-" > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Kent Stewart Richland, WA http://users.owt.com/kstewart Carl Sagan quote on Seti@home http://setiathome.ssl.berkeley.edu/pale_blue_dot.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message