Date: Thu, 27 Dec 2001 22:09:02 -0800 From: "Kutulu" <kutulu@kutulu.org> To: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>, <freebsd-stable@freebsd.org> Subject: Re: Trying NT Hacks Message-ID: <00ed01c18f66$2a80e110$88682518@cc191573g> References: <013a01c18f48$f156cf20$0101a8c0@haloflightleader.net><1009507938.42213.4.camel@vpn85.ece.cmu.edu><015401c18f4a$9b8dd500$0101a8c0@haloflightleader.net> <200112280257.fBS2vdF90815@apollo.backplane.com> <1009508426.42213.8.camel@vpn85.ece.cmu.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
From: "Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu> To: <freebsd-stable@freebsd.org> Sent: Thursday, December 27, 2001 7:00 PM Subject: Re: Trying NT Hacks > On Thu, 2001-12-27 at 21:57, Matthew Dillon wrote: > > I get at least two or three crack attempts each week on my site. They > > are invariably NT cracks. > > Only two or three a week? We get that many per *hour* even on web > servers which are not announced publicly, on "slow" days. In this case, anecdotal evidence suggests you may be able to stop some of this: When I first put up snort in front of my web servers, I mailed myself nightly the snort logs. I quicky stopped that for a week, as my mailbox routinely had many thousands of lines of IIS hack attempts in it each morning. 5-10 attempts per hour times 15 seperate exploit variations per attempt = a big mess. Not having much else to do with my time (using FreeBSD+Apache+PHP+MySQL from ports saved me many hours of work) I actually sat down and emailed every single IP that hit me for two days. I dunno if it helped, or things just naturally tapered off, but I haven't gotten a *single* IIS worm attack in nearly two weeks. Fortunately, the biggest pain in the butt (Nimda) scans the only the /16-subnet the infected machine is in), so once you manage to find everyone in your /16 and clean them up, things quiet down a lot :) --K To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00ed01c18f66$2a80e110$88682518>