From owner-freebsd-questions  Tue Sep 18 19:17:18 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from dv-db.com (dv-db.com [207.159.141.95])
	by hub.freebsd.org (Postfix) with ESMTP id 2E70437B406
	for <questions@FreeBSD.ORG>; Tue, 18 Sep 2001 19:17:14 -0700 (PDT)
Received: from mark2 (host217-35-34-245.in-addr.btopenworld.com [217.35.34.245])
	by dv-db.com (8.9.3/8.9.3) with SMTP id DAA24756;
	Wed, 19 Sep 2001 03:16:46 +0100 (GMT/BST)
Message-ID: <030301c140b1$09ee3640$0200a8c0@mark2>
From: "Mark Hughes" <mark@dvdnews.co.uk>
To: "klein brock" <getzz1@yahoo.com>,
	"Christian S ." <cschreiber@netrail.net>
Cc: "Matthew Emmerton" <matt@gsicomp.on.ca>, <questions@FreeBSD.ORG>
References: <20010919020837.87629.qmail@web20106.mail.yahoo.com>
Subject: Re: FIREWALL REALLY NEED HELP
Date: Wed, 19 Sep 2001 03:15:14 +0100
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

> not just that.. the ip that attack my server are more
> than 10.000. this is some of them:
>
> 209.8.63.66 - - [18/Sep/2001:17:38:20 -0700] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 288
> 209.8.172.53 - - [18/Sep/2001:17:38:20 -0700] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 400 285
> 209.8.92.226 - - [18/Sep/2001:17:38:20 -0700] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 280
> 209.8.172.53 - - [18/Sep/2001:17:38:20 -0700] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 302
> 209.8.92.226 - - [18/Sep/2001:17:38:21 -0700] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 301
> 209.8.172.53 - - [18/Sep/2001:17:38:21 -0700] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 302
>
> it has 216.*.*.* for more than 100 ip, 209.*.*.* more
> than 1000 ips, 205.128.*.*
>
> i really tired of this., it suffer my server for more
> than 1 week.. if anybody can help me ... i would
> appreciate it. they have more than 10.000 ips.

that all sounds suspiciously like a code red / code blue / nammbaaanada
(sp?) virus that's spread onto an area network and is trying to infect your
machine...

I could be wrong, what do others think?

Mark


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message