From owner-freebsd-questions  Tue Sep 18 19:26:36 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from cx175057-a.ocnsd1.sdca.home.com (cx175057-a.ocnsd1.sdca.home.com [24.13.23.40])
	by hub.freebsd.org (Postfix) with ESMTP id 336F937B406
	for <questions@FreeBSD.ORG>; Tue, 18 Sep 2001 19:26:33 -0700 (PDT)
Received: from localhost (bri@localhost)
	by cx175057-a.ocnsd1.sdca.home.com (8.11.6/8.11.3) with ESMTP id f8J2Q6f06442;
	Tue, 18 Sep 2001 19:26:06 -0700 (PDT)
	(envelope-from bri@sonicboom.org)
Date: Tue, 18 Sep 2001 19:26:05 -0700 (PDT)
From: Brian Whalen <bri@sonicboom.org>
X-X-Sender:  <bri@cx175057-a.ocnsd1.sdca.home.com>
To: Mark Hughes <mark@dvdnews.co.uk>
Cc: klein brock <getzz1@yahoo.com>,
	"Christian S ." <cschreiber@netrail.net>,
	Matthew Emmerton <matt@gsicomp.on.ca>, <questions@FreeBSD.ORG>
Subject: Re: FIREWALL REALLY NEED HELP
In-Reply-To: <030301c140b1$09ee3640$0200a8c0@mark2>
Message-ID: <20010918192520.D6038-100000@cx175057-a.ocnsd1.sdca.home.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

u r correct, see http://www.cert.org/advisories/CA-2001-26.html.  These
people are likely not directly attacking you, but being unknowing
participants in this.

Brian "Sonic" Whalen
Success = Preparation + Opportunity


On Wed, 19 Sep 2001, Mark Hughes wrote:

> > not just that.. the ip that attack my server are more
> > than 10.000. this is some of them:
> >
> > 209.8.63.66 - - [18/Sep/2001:17:38:20 -0700] "GET
> > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 288
> > 209.8.172.53 - - [18/Sep/2001:17:38:20 -0700] "GET
> > /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
> > HTTP/1.0" 400 285
> > 209.8.92.226 - - [18/Sep/2001:17:38:20 -0700] "GET
> > /scripts/root.exe?/c+dir HTTP/1.0" 404 280
> > 209.8.172.53 - - [18/Sep/2001:17:38:20 -0700] "GET
> > /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
> > HTTP/1.0" 404 302
> > 209.8.92.226 - - [18/Sep/2001:17:38:21 -0700] "GET
> > /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
> > HTTP/1.0" 404 301
> > 209.8.172.53 - - [18/Sep/2001:17:38:21 -0700] "GET
> > /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
> > HTTP/1.0" 404 302
> >
> > it has 216.*.*.* for more than 100 ip, 209.*.*.* more
> > than 1000 ips, 205.128.*.*
> >
> > i really tired of this., it suffer my server for more
> > than 1 week.. if anybody can help me ... i would
> > appreciate it. they have more than 10.000 ips.
>
> that all sounds suspiciously like a code red / code blue / nammbaaanada
> (sp?) virus that's spread onto an area network and is trying to infect your
> machine...
>
> I could be wrong, what do others think?
>
> Mark
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message