Date: Sat, 20 Oct 2001 14:36:48 -0700 From: Kent Stewart <kstewart@owt.com> To: Michael MacKinnon <mackinnon.m@home.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: attackers! How do I know whether or not they were successful? Message-ID: <3BD1EE70.DF489FD1@owt.com> References: <20011019105246.Q38148-100000@teak.adhesivemedia.com> <5.0.2.1.0.20011020141127.00a191b0@netmail.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael MacKinnon wrote: > > I noticed in my logs what appears to be an attempt to try a buffer overflow > in my apache logs. > I've included the excerpts from my logs below for reference. > > My questions: > 1) I haven't opened up port 80 with my firewall. How did they connect? Is there > a problem with my rules? (I've included those below for reference as well) Don't use that firewall. > > 2) How can I tell how successful the attempt was? It wasn't it is an MS IIS exploit. > > 3) Any ideas what the attempt was trying to do? Is this a known exploit? Where > would I find out? Visit http://www.cert.org/advisories/CA-2001-19.html > > 4) What do I do now? Anything else I should do? Email the site and tell them they are running code-red or ignore it. You should be seeing 100's of Nimda hits and 1 attempt by code-red is microscopic. Kent > > Thanks for all your help in this. > Mike > > Notes: > I have FreeBSD 4.4 recently installed from an iso image. > > My Firewall Rules: > block in on dc0 > block in log quick on dc0 from 192.168.0.0/16 to any > block in log quick on dc0 from 172.16.0.0/12 to any > block in log quick on dc0 from 10.0.0.0/8 to any > block in log quick on dc0 from 127.0.0.0/8 to any > block in log quick on dc0 from <my ip address>/32 to any > # allow my own network stuff to get out > pass out quick on dc0 proto tcp/udp from 192.168.0.0/24 to any keep state > pass out quick on dc0 proto icmp from 192.168.0.0/24 to any keep state > pass out quick on dc0 proto tcp/udp from <my ip address>/32 to any keep > state > > httpd-error contents: > [Sat Oct 19 13:25:07 2001] [error] [client 131.123.8.178] Client sent > malformed Host header > > httpd-access contents: > 131.123.8.178 - - [19/Oct/2001:13:25:07 -0700] "GET > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a > HTTP/1.0" 400 341 "-" "-" > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message -- Kent Stewart Richland, WA http://users.owt.com/kstewart Carl Sagan quote on Seti@home http://setiathome.ssl.berkeley.edu/pale_blue_dot.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BD1EE70.DF489FD1>