Date: Mon, 22 Oct 2001 19:16:06 -0400 From: "Bara Zani" <bara_zani@yahoo.com> To: <freebsd-questions@FreeBSD.org> Subject: Re: attackers! How do I know whether or not they were successful? Message-ID: <003701c15bd0$817cf5e0$846e34c6@kushkush> References: <20011022172710.A36179@acadia.ne.mediaone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
www.dns2go.com ----- Original Message ----- From: "Louis LeBlanc" <leblanc+freebsd@acadia.ne.mediaone.net> To: <freebsd-questions@FreeBSD.org> Sent: Monday, October 22, 2001 5:27 PM Subject: Re: attackers! How do I know whether or not they were successful? > Sorry I don't have the actual message to reply to, but I got kicked > off the list this weekend because my ISP hosed its dns server <GRRR>. > Anyone know of a dns service that can serve a domain to a DHCP IP? > > Anyway, here is the message quoted from the Archives: > > ------------------------------------------------------------------ > > Date: Sat, 20 Oct 2001 14:34:10 -0500 > > From: Michael MacKinnon <mackinnon.m@home.com> > > To: freebsd-questions@FreeBSD.ORG > > Subject: attackers! How do I know whether or not they were successful? > > Message-ID: <5.0.2.1.0.20011020141127.00a191b0@netmail.home.com> > > > I noticed in my logs what appears to be an attempt to try a buffer > > overflow in my apache logs. > > I've included the excerpts from my logs below for reference. > > > My questions: > > 1) I haven't opened up port 80 with my firewall. How did they connect? > > Is there > > a problem with my rules? (I've included those below for reference as > > well) > > I looked at the log entry. Is this the only one you got? did you get > any looking for any 'root.exe' or 'shell.exe' or such things? Those > would likely be the Nimda worm trying to spread. What you have is > the CodeRed or CodeRed II worm as someone else already suggested. You > can ignore this if you like or you can handle it by reporting it to > the abuse authorities for that domain. They will (presumably) inform > someone administering the machine that it is infected. > > > 2) How can I tell how successful the attempt was? > > It wasn't if you are not running IIS on a Win$ O$. > > > 3) Any ideas what the attempt was trying to do? Is this a known > > exploit? Where would I find out? > > Someone else gave you a good link. You can also get a bit of info > here: http://acadia.ne.mediaone.net/Nimda/ > It was offline this past weekend, thanks to my ISP, but it's back. > > I also have links to the handlers that would automatically send > complaints to the abuse authorities. > > > 4) What do I do now? Anything else I should do? > > You can handle it or ignore it. Won't matter. If you run a lightly > loaded server, I'd suggest helping to keep the infections reported > with one or both of the handlers you can see at the link above. If > you are running a heavily loaded server, just use the suggestions on > that page to eliminate the log file overflow that will result from the > two worms (especially Nimda). > > > My Firewall Rules: > > block in on dc0 > > block in log quick on dc0 from 192.168.0.0/16 to any > > block in log quick on dc0 from 172.16.0.0/12 to any > > block in log quick on dc0 from 10.0.0.0/8 to any > > block in log quick on dc0 from 127.0.0.0/8 to any > > block in log quick on dc0 from <my ip address>/32 to any > > # allow my own network stuff to get out > > pass out quick on dc0 proto tcp/udp from 192.168.0.0/24 to any > > keep state > > pass out quick on dc0 proto icmp from 192.168.0.0/24 to any > > keep state > > pass out quick on dc0 proto tcp/udp from <my ip address>/32 to any > > keep state > > Someone else already mentioned the kernel default behavior. You > should have the default set to deny so that you can explicitly allow > only what you want thru. Try looking at the cheat sheets at > http://www.mostgraveconcern.com/freebsd/ > I found them most helpful. > > > httpd-error contents: > > [Sat Oct 19 13:25:07 2001] [error] [client 131.123.8.178] Client sent > > malformed Host header > > > > httpd-access contents: > > 131.123.8.178 - - [19/Oct/2001:13:25:07 -0700] "GET > > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > > NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090% > > u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u > > 0000%u00=a HTTP/1.0" 400 341 "-" "-" > > Yup. That's CodeRed. I'm surprised there are any of these still out > there. I haven't seen one since 10/10. I think most of them have > either been cleaned out or taken over by Nimda. That one's worse > because it can spread so many different ways, and it uses roughly 16 > separate URLs to try to get into an IIS server. > > Good luck > Lou > -- > Louis LeBlanc leblanc@acadia.ne.mediaone.net > Fully Funded Hobbyist, KeySlapper Extrordinaire :) > http://acadia.ne.mediaone.net ԿԬ > > Too much is just enough. > -- Mark Twain, on whiskey > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003701c15bd0$817cf5e0$846e34c6>