Date: Sun, 3 Feb 2002 22:34:55 -0500 (EST) From: Chris BeHanna <behanna@zbzoom.net> To: <freebsd-security@freebsd.org> Subject: Re: weird server activity Message-ID: <20020203223304.Q70920-100000@topperwein.dyndns.org> In-Reply-To: <F31rfFz82buW5RNB6Hf00001c34@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 26 Jan 2002, William J. Borskey wrote:
> I am running FreeBSD 4.4. I use Apache-fp and openssh. About a week ago my
> system went down and I wasnt
> able to log in or look at any web pages. I could connect, but it woud not
> spawn a process to log me in, or serve me a
> web document. I got someone to reboot the machine from the console, I was
> then able to log into the machine.
> Starting processes was slow but top reports normal system loads. Then after
> about an hour the machine would no
> longer run any processes and quickly shut me out by killing the sshd i was
> connected with. I did get a chance to
> look at some of my logs, not all unfortuantly. The httpd-access file had
> some weird sequences of windows
> sounding paths, but it wasnt code red or anything like code red:
> 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 200
> 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 200 "-" "-"
> 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 200
> 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET /MSADC/root.exe?/c+dir
> HTTP/1.0" 404 200 "-" "-"
> 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200
> 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-"
> [...snip...]
This looks like NIMDA, which can generate enough 404 traffic to
choke your machine's pipe. Unless your setup allows for La Brea, it's
best to blackhole these things rather than issue responses.
--
Chris BeHanna
Software Engineer (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
I was raised by a pack of wild corn dogs.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020203223304.Q70920-100000>