Date: Tue, 11 Dec 2001 23:22:10 -0700 (MST) From: FreeBSD user <freebsd@XtremeDev.com> To: jacks@sage-american.com Cc: Jim Conner <jconner@enterit.com>, BSDJunk <BSDJunk@bzerk.org>, <freebsd-questions@FreeBSD.ORG> Subject: Re: Intruder attempts? Message-ID: <20011211232119.Y28829-100000@Amber.XtremeDev.com> In-Reply-To: <3.0.5.32.20011212001857.01078190@mail.sage-american.com>
next in thread | previous in thread | raw e-mail | index | archive | help
That's just the various nimda/code red/whatever worm/virii out there attacking and searching for IIS machines. Unless you are running IIS, it doesn't affect you. On Wed, 12 Dec 2001 jacks@sage-american.com wrote: > I'm getting pounded with these attempts as well...two different sources: > <snip/> > 202.172.44.253 - - [11/Dec/2001:12:14:59 -0600] "GET > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a > HTTP/1.0" 400 325 "-" "- > > 64.211.41.13 - - [11/Dec/2001:22:50:31 -0600] "GET /scripts/root.exe?/c+dir > HTTP/1.0" 404 283 "-" "-" > 64.211.41.13 - - [11/Dec/2001:22:50:31 -0600] "GET /MSADC/root.exe?/c+dir > HTTP/1.0" 404 281 "-" "-" > 64.211.41.13 - - [11/Dec/2001:22:50:31 -0600] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 291 "-" "-" > </snip> > > Attacks have been going on for several days on a brand new (experimental) > web site > www.sage-one.net just cranked up a few days ago. > > It's the only thing on the box except a LAN is attached. Not much to get to > that is sensitive except be malicious. > > At 12:35 AM 12.12.2001 -0500, Jim Conner wrote: > >At 08:10 12.10.2001 +0100, BSDJunk wrote: > > > >>Portmap has nothing to do with rsh or rcp. It is needed for NFS servers and > >>for NIS e.g. > > > >Heh, I hate it when I say dumb ie wrong things. :) Thank you for > >correcting me. However, I am still correct that this is an rpc.statd > >exploit. In /etc/rc.conf (/etc/defaults/rc.conf) find rpc_statd_enable and > >make it equal to "NO". > > > > > >>----- Original Message ----- > >>From: "Jim Conner" <jconner@enterit.com> > >>To: <jacks@sage-american.com> > >>Cc: <freebsd-questions@FreeBSD.ORG> > >>Sent: Monday, December 10, 2001 7:46 AM > >>Subject: Re: Intruder attempts? > >> > >> > >> > At 07:58 12.09.2001 -0600, jacks@sage-american.com wrote: > >> > >I've noticed this often on the console of the server and appears to be > >> > >intruder attempts to login: This is just a snipet: > >> > > > >> > ><snip/> > >> > >server1.net kernel log messages: > >> > > > Dec 8 03:41:47 sage-one rpc.statd: invalid hostname to sm_stat: > >> > > >> > >^X\M-w\M^?\M-?^X\M-w\M^?\M-?^Y\M-w\M^?\M-?^Y\M-w\M^?\M-?^Z\M-w\M^?\M-?^Z\M- > >>w > >> > > >> > >\M^?\M-?^[\M-w\M^?\M-?^[\M-w\M^?\M-?%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x > >>% > >> > >n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > >> > ></snip> > >> > > > >> > > >> > This is a bad thing. This is somebody attempting to use a buffer > >>olverflow > >> > exploit against your rpc services. If you don't need them, I suggest you > >> > turn portmap off. That means that if you don't want or need people > >> > rsh'ing, rcp'ing, etc into your box, turn off portmap. > >> > > >> > - Jim > >> > > >> > > >> > >Best regards, > >> > >Jack L. Stone, > >> > >Server Admin > >> > > > >> > >Sage-American > >> > >http://www.sage-american.com > >> > >jacks@sage-american.com > >> > > > >> > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >> > >with "unsubscribe freebsd-questions" in the body of the message > >> > > >> > > >> > > >> > - Jim > >> > > >> > -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- > >> > http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 > >> > > >> > -----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE > >>BLOCK------ > >> > Version: 0.01 Version: 3.12 > >> > P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- > >> > >++++$O!MA->++++E!> PU-->+++BD C++++(+) UB++++$L++++$S++++$ > >> > $C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ L+++(++++)>+++++$ > >>!E* > >> > +PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- PS---(-)@ > >>PE > >> > >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP t+(+++)>+++@ 5- X++ > >>R@ > >> > >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) > >>G(++++) > >> > ------END PERL GEEK CODE BLOCK------ ------END GEEK CODE BLOCK------ > >> > > >> > > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org > >> > with "unsubscribe freebsd-questions" in the body of the message > >> > > > > > > > > >- Jim > > > >-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~- > >http://www.perlmonks.org/index.pl?node_id=67861&lastnode_id=67861 > > > >-----BEGIN PERL GEEK CODE BLOCK----- ------BEGIN GEEK CODE BLOCK------ > >Version: 0.01 Version: 3.12 > >P++>*@$c?P6?R+++>++++@$M GIT/CM/J d++(--) s++:++ a- > > >++++$O!MA->++++E!> PU-->+++BD C++++(+) UB++++$L++++$S++++$ > >$C-@D!>++++(-)$S++++@$X?WP+>++++MO!>+++ P++(+)>+++++ L+++(++++)>+++++$ !E* > >+PP+++>++++n-CO?PO!o >++++G W++(+++) N+ o !K w--- PS---(-)@ PE > > >*(!)$A-->++++@$Ee---(-)Ev++uL++>*@$uB+ Y+>+++ PGP t+(+++)>+++@ 5- X++ R@ > > >*@$uS+>*@$uH+uo+w-@$m! tv+ b? DI-(+++) D+++(++) G(++++) > >------END PERL GEEK CODE BLOCK------ ------END GEEK CODE BLOCK------ > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-questions" in the body of the message > > > > > > Best regards, > Jack L. Stone, > Server Admin > > Sage-American > http://www.sage-american.com > jacks@sage-american.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011211232119.Y28829-100000>