Date: Wed, 12 Dec 2001 00:18:57 -0600 From: jacks@sage-american.com To: Jim Conner <jconner@enterit.com>, "BSDJunk" <BSDJunk@bzerk.org> Cc: <freebsd-questions@FreeBSD.ORG> Subject: Re: Intruder attempts? Message-ID: <3.0.5.32.20011212001857.01078190@mail.sage-american.com> In-Reply-To: <5.1.0.14.0.20011212003317.02b7d320@mail.enterit.com> References: <048101c18149$ca0363a0$0801a8c0@lan.1729.net> <5.1.0.14.0.20011210014602.04020258@mail.enterit.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm getting pounded with these attempts as well...two different sources: <snip/> 202.172.44.253 - - [11/Dec/2001:12:14:59 -0600] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 325 "-" "- 64.211.41.13 - - [11/Dec/2001:22:50:31 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 283 "-" "-" 64.211.41.13 - - [11/Dec/2001:22:50:31 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 281 "-" "-" 64.211.41.13 - - [11/Dec/2001:22:50:31 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-" </snip> Attacks have been going on for several days on a brand new (experimental) web site www.sage-one.net just cranked up a few days ago. It's the only thing on the box except a LAN is attached. Not much to get to that is sensitive except be malicious. At 12:35 AM 12.12.2001 -0500, Jim Conner wrote: >At 08:10 12.10.2001 +0100, BSDJunk wrote: > >>Portmap has nothing to do with rsh or rcp. It is needed for NFS servers and >>for NIS e.g. > >Heh, I hate it when I say dumb ie wrong things. :) Thank you for >correcting me. However, I am still correct that this is an rpc.statd >exploit. In /etc/rc.conf (/etc/defaults/rc.conf) find rpc_statd_enable and >make it equal to "NO". > > >>----- Original Message ----- >>From: "Jim Conner" <jconner@enterit.com> >>To: <jacks@sage-american.com> >>Cc: <freebsd-questions@FreeBSD.ORG> >>Sent: Monday, December 10, 2001 7:46 AM >>Subject: Re: Intruder attempts? >> >> >> > At 07:58 12.09.2001 -0600, jacks@sage-american.com wrote: >> > >I've noticed this often on the console of the server and appears to be >> > >intruder attempts to login: This is just a snipet: >> > > >> > ><snip/> >> > >server1.net kernel log messages: >> > > > Dec 8 03:41:47 sage-one rpc.statd: invalid hostname to sm_stat: >> > >> >^X\M-w\M^?\M-?^X\M-w\M^?\M-?^Y\M-w\M^?\M-?^Y\M-w\M^?\M-?^Z\M-w\M^?\M-?^Z\M- >>w >> > >> >\M^?\M-?^[\M-w\M^?\M-?^[\M-w\M^?\M-?%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x >>% >> > >n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P >> > ></snip> >> > > >> > >> > This is a bad thing. This is somebody attempting to use a buffer >>olverflow >> > exploit against your rpc services. If you don't need them, I suggest you >> > turn portmap off. That means that if you don't want or need people >> > rsh'ing, rcp'ing, etc into your box, turn off portmap. >> > >> > - Jim >> > >> > >> > >Best regards, >> > >Jack L. Stone, >> > >Server Admin >> > > >> > >Sage-American >> > >http://www.sage-american.com >> > >jacks@sage-american.com >> > > >> > >To Unsubscribe: send mail to majordomo@FreeBSD.org >> > >with "unsubscribe freebsd-questions" in the body of the message >> > >> > >> > >> > - Jim >> > >> > -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- >> > http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 >> > >> > -----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE >>BLOCK------ >> > Version: 0.01 Version: 3.12 >> > P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- >> > >++++$O!MA->++++E!> PU-->+++BD C++++(+) UB++++$L++++$S++++$ >> > $C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ L+++(++++)>+++++$ >>!E* >> > +PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- PS---(-)@ >>PE >> > >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP t+(+++)>+++@ 5- X++ >>R@ >> > >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) >>G(++++) >> > ------END PERL GEEK CODE BLOCK------ ------END GEEK CODE BLOCK------ >> > >> > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org >> > with "unsubscribe freebsd-questions" in the body of the message >> > > > > >- Jim > >-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- >http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 > >-----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE BLOCK------ >Version: 0.01 Version: 3.12 >P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- > >++++$O!MA->++++E!> PU-->+++BD C++++(+) UB++++$L++++$S++++$ >$C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ L+++(++++)>+++++$ !E* >+PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- PS---(-)@ PE > >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP t+(+++)>+++@ 5- X++ R@ > >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) G(++++) >------END PERL GEEK CODE BLOCK------ ------END GEEK CODE BLOCK------ > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-questions" in the body of the message > > Best regards, Jack L. Stone, Server Admin Sage-American http://www.sage-american.com jacks@sage-american.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20011212001857.01078190>