From owner-freebsd-stable Thu Dec 27 19:17:35 2001 Delivered-To: freebsd-stable@freebsd.org Received: from pr0n.kutulu.org (pr0n.kutulu.org [151.196.107.157]) by hub.freebsd.org (Postfix) with ESMTP id 8540537B416 for ; Thu, 27 Dec 2001 19:17:32 -0800 (PST) Received: from cc191573g (cc191573-g.longhill1.md.home.com [24.37.104.136]) by pr0n.kutulu.org (Postfix) with SMTP id BE362104; Thu, 27 Dec 2001 22:19:09 -0500 (EST) Message-ID: <00ed01c18f66$2a80e110$88682518@cc191573g> From: "Kutulu" To: "Brandon S. Allbery KF8NH" , References: <013a01c18f48$f156cf20$0101a8c0@haloflightleader.net><1009507938.42213.4.camel@vpn85.ece.cmu.edu><015401c18f4a$9b8dd500$0101a8c0@haloflightleader.net> <200112280257.fBS2vdF90815@apollo.backplane.com> <1009508426.42213.8.camel@vpn85.ece.cmu.edu> Subject: Re: Trying NT Hacks Date: Thu, 27 Dec 2001 22:09:02 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG From: "Brandon S. Allbery KF8NH" To: Sent: Thursday, December 27, 2001 7:00 PM Subject: Re: Trying NT Hacks > On Thu, 2001-12-27 at 21:57, Matthew Dillon wrote: > > I get at least two or three crack attempts each week on my site. They > > are invariably NT cracks. > > Only two or three a week? We get that many per *hour* even on web > servers which are not announced publicly, on "slow" days. In this case, anecdotal evidence suggests you may be able to stop some of this: When I first put up snort in front of my web servers, I mailed myself nightly the snort logs. I quicky stopped that for a week, as my mailbox routinely had many thousands of lines of IIS hack attempts in it each morning. 5-10 attempts per hour times 15 seperate exploit variations per attempt = a big mess. Not having much else to do with my time (using FreeBSD+Apache+PHP+MySQL from ports saved me many hours of work) I actually sat down and emailed every single IP that hit me for two days. I dunno if it helped, or things just naturally tapered off, but I haven't gotten a *single* IIS worm attack in nearly two weeks. Fortunately, the biggest pain in the butt (Nimda) scans the only the /16-subnet the infected machine is in), so once you manage to find everyone in your /16 and clean them up, things quiet down a lot :) --K To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message