From owner-freebsd-stable Thu Dec 27 19:11:48 2001 Delivered-To: freebsd-stable@freebsd.org Received: from seven.Alameda.net (seven.Alameda.net [64.81.63.137]) by hub.freebsd.org (Postfix) with ESMTP id ACFD937B405 for ; Thu, 27 Dec 2001 19:11:44 -0800 (PST) Received: by seven.Alameda.net (Postfix, from userid 1000) id 84EB63A239; Thu, 27 Dec 2001 19:11:44 -0800 (PST) Date: Thu, 27 Dec 2001 19:11:44 -0800 From: Ulf Zimmermann To: Peter Ong Cc: "Julien B." , freebsd-stable@FreeBSD.ORG Subject: Re: Trying NT Hacks Message-ID: <20011227191144.X90222@seven.alameda.net> Reply-To: ulf@Alameda.net References: <013a01c18f48$f156cf20$0101a8c0@haloflightleader.net> <20011228035757.A99350@harimandir> <018901c18f4c$22402480$0101a8c0@haloflightleader.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <018901c18f4c$22402480$0101a8c0@haloflightleader.net>; from peter@haloflightleader.net on Thu, Dec 27, 2001 at 07:02:49PM -0800 Organization: Alameda Networks, Inc. X-Operating-System: FreeBSD 4.4-STABLE Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Dec 27, 2001 at 07:02:49PM -0800, Peter Ong wrote: > Really... I just wonder how they figure out the IPs, other than randomly > guessing. Someone did mention that, and I guess there really aren't that > many IP addresses that a computer could randomly generate in a short amount > of time without covering the whole spectrum. Nimda for example is scanning anything from the infected hosts /16 address space. For example your machine is in the 64.81.0.0/16 address block (Speakeasy DSL), then that infected machine would scan all those ips for more unsecured IIS to spread more. I kinda have a script in place to regular open a ticket with speakeasy to report infected machines and let them handle contacting their customers. The data for that script comes from a small script I have on my web server which sends a log entry into an sql db, on which I can then run a query to get the last weeks hits from 64.81.0.0/16 IPs and I also look for large numbers of hits from other IPs and contact those ISPs. > > Peter > ----- Original Message ----- > From: "Julien B." > To: "Peter Ong" > Cc: > Sent: Thursday, December 27, 2001 6:57 PM > Subject: Re: Trying NT Hacks > > > > On Thu, Dec 27, 2001 at 06:39:58PM -0800, Peter Ong wrote: > > > I don't know what it is with some people. I post my site here today > because > > > I was wondering about why the initial page was gibberrish, and then I > get > > > crackers. I finally get home, and I'm reviewing my log files, and I'm > > > seeing some folks trying to use IIS/NT exploits on my FreeBSD machine. > It's > > > infuriating. > > > > > > > My logs are full of these too, and getting bigger and bigger everyday. > Most of > > these "attacks" comes from some Windows worms. I'm totally amazed through, > as > > i get one such connection every 10 minuts, and my web server is not even > > public. > > > > Regards > > > > Julien B > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > -- Regards, Ulf. --------------------------------------------------------------------- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204 You can find my resume at: http://seven.Alameda.net/~ulf/resume.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message