Date: Thu, 27 Dec 2001 19:11:44 -0800 From: Ulf Zimmermann <ulf@Alameda.net> To: Peter Ong <peter@haloflightleader.net> Cc: "Julien B." <jbe@cpu.ath.cx>, freebsd-stable@FreeBSD.ORG Subject: Re: Trying NT Hacks Message-ID: <20011227191144.X90222@seven.alameda.net> In-Reply-To: <018901c18f4c$22402480$0101a8c0@haloflightleader.net>; from peter@haloflightleader.net on Thu, Dec 27, 2001 at 07:02:49PM -0800 References: <013a01c18f48$f156cf20$0101a8c0@haloflightleader.net> <20011228035757.A99350@harimandir> <018901c18f4c$22402480$0101a8c0@haloflightleader.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 27, 2001 at 07:02:49PM -0800, Peter Ong wrote: > Really... I just wonder how they figure out the IPs, other than randomly > guessing. Someone did mention that, and I guess there really aren't that > many IP addresses that a computer could randomly generate in a short amount > of time without covering the whole spectrum. Nimda for example is scanning anything from the infected hosts /16 address space. For example your machine is in the 64.81.0.0/16 address block (Speakeasy DSL), then that infected machine would scan all those ips for more unsecured IIS to spread more. I kinda have a script in place to regular open a ticket with speakeasy to report infected machines and let them handle contacting their customers. The data for that script comes from a small script I have on my web server which sends a log entry into an sql db, on which I can then run a query to get the last weeks hits from 64.81.0.0/16 IPs and I also look for large numbers of hits from other IPs and contact those ISPs. > > Peter > ----- Original Message ----- > From: "Julien B." <jbe@cpu.ath.cx> > To: "Peter Ong" <peter@haloflightleader.net> > Cc: <freebsd-stable@FreeBSD.ORG> > Sent: Thursday, December 27, 2001 6:57 PM > Subject: Re: Trying NT Hacks > > > > On Thu, Dec 27, 2001 at 06:39:58PM -0800, Peter Ong wrote: > > > I don't know what it is with some people. I post my site here today > because > > > I was wondering about why the initial page was gibberrish, and then I > get > > > crackers. I finally get home, and I'm reviewing my log files, and I'm > > > seeing some folks trying to use IIS/NT exploits on my FreeBSD machine. > It's > > > infuriating. > > > > > > > My logs are full of these too, and getting bigger and bigger everyday. > Most of > > these "attacks" comes from some Windows worms. I'm totally amazed through, > as > > i get one such connection every 10 minuts, and my web server is not even > > public. > > > > Regards > > > > Julien B > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > -- Regards, Ulf. --------------------------------------------------------------------- Ulf Zimmermann, 1525 Pacific Ave., Alameda, CA-94501, #: 510-865-0204 You can find my resume at: http://seven.Alameda.net/~ulf/resume.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011227191144.X90222>