From owner-freebsd-security  Tue Feb  2 20:25:35 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id UAA10621
          for freebsd-security-outgoing; Tue, 2 Feb 1999 20:25:35 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from mta1-rme.xtra.co.nz (mta.xtra.co.nz [203.96.92.1])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA10612
          for <freebsd-security@FreeBSD.ORG>; Tue, 2 Feb 1999 20:25:33 -0800 (PST)
          (envelope-from junkmale@pop3.xtra.co.nz)
Received: from wocker ([210.55.210.87]) by mta1-rme.xtra.co.nz
          (InterMail v04.00.02.07 201-227-108) with SMTP
          id <19990203042530.GQPY682101.mta1-rme@wocker>;
          Wed, 3 Feb 1999 17:25:30 +1300
From: "Dan Langille" <junkmale@xtra.co.nz>
Organization: The FreeBSD Diary
To: James Wyatt <jwyatt@RWSystems.net>
Date: Wed, 3 Feb 1999 17:25:25 +1300
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: what were these probes?
Reply-to: junkmale@xtra.co.nz
CC: Mike Holling <myke@ees.com>, freebsd-security@FreeBSD.ORG
References: <19990202065625.CSGF678125.mta2-rme@wocker>
In-reply-to: <Pine.BSF.4.05.9902021409070.13018-100000@kasie.rwsystems.net>
X-mailer: Pegasus Mail for Win32 (v3.01d)
Message-Id: <19990203042530.GQPY682101.mta1-rme@wocker>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On 2 Feb 99, at 15:56, James Wyatt wrote:

> On Tue, 2 Feb 1999, Dan Langille wrote:
> > On 1 Feb 99, at 22:28, Mike Holling wrote:
> > > > Tonight I found these entries in my log files.  What were they looking
> > > > for?  Was this a spammer looking for exploits?
> > > My offhand guess is that this was indeed some kind of automated script
> > > looking for a set of known security holes.
> > Looks that way to me too.  Messages I've received off list seem to 
> > indicate that the http probes were well known exploits.  And they all 
> > failed.  It seems that the security in place has done it's job.
> 
> Notice that they are coming from a hostname beginning ns.*.com. Looks
> like someone's nameserver wasn't as lucky as your webserver... 8{(
> 

FWIW, they appear to be online again.

--
Dan Langille
The FreeBSD Diary
http://www.FreeBSDDiary.com/freebsd

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message