From owner-freebsd-questions@FreeBSD.ORG Wed Nov 17 08:06:06 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FF4416A4D0 for ; Wed, 17 Nov 2004 08:06:06 +0000 (GMT) Received: from ms-smtp-02.tampabay.rr.com (ms-smtp-02-smtplb.tampabay.rr.com [65.32.5.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id E00B143D1D for ; Wed, 17 Nov 2004 08:06:05 +0000 (GMT) (envelope-from scphantm@yahoo.com) Received: from [192.168.0.2] (24286hfc39.tampabay.rr.com [24.28.6.39]) iAH863Ix027667 for ; Wed, 17 Nov 2004 03:06:03 -0500 (EST) Message-ID: <419B06CC.8030107@yahoo.com> Date: Wed, 17 Nov 2004 03:07:40 -0500 From: Steel City Phantom User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: looks like script kiddie tried to get me X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Nov 2004 08:06:06 -0000 bsd 4.9, apache 1.3 my postnuke started emailing me with hack attempts. i look at my log and find about a half a meg of where it looks like a script kiddie tried to poke in the dark at this site. the hits are WAY too close together to be manual, here is a snip from the log 24.54.157.86 - - [17/Nov/2004:01:00:29 -0500] "GET /etc/ HTTP/1.1" 404 288 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" 24.54.157.86 - - [17/Nov/2004:01:00:29 -0500] "GET /example/ HTTP/1.1" 404 292 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" 24.54.157.86 - - [17/Nov/2004:01:00:30 -0500] "GET /examples/ HTTP/1.1" 404 293 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" 24.54.157.86 - - [17/Nov/2004:01:00:30 -0500] "GET /exc/ HTTP/1.1" 404 288 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" 24.54.157.86 - - [17/Nov/2004:01:00:30 -0500] "GET /excel/ HTTP/1.1" 404 290 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" 24.54.157.86 - - [17/Nov/2004:01:00:30 -0500] "GET /exchange/ HTTP/1.1" 404 293 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" 24.54.157.86 - - [17/Nov/2004:01:00:30 -0500] "GET /exe/ HTTP/1.1" 404 288 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] "GET /exec/ HTTP/1.1" 404 289 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] "GET /export/ HTTP/1.1" 404 291 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] "GET /external/ HTTP/1.1" 404 293 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] "GET /f/ HTTP/1.1" 404 286 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] "GET /fbsd/ HTTP/1.1" 404 289 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] "GET /fcgi-bin/ HTTP/1.1" 404 293 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] "GET /file/ HTTP/1.1" 404 289 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" 24.54.157.86 - - [17/Nov/2004:01:00:32 -0500] "GET /filemanager/ HTTP/1.1" 404 296 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" 24.54.157.86 - - [17/Nov/2004:01:00:32 -0500] "GET /files/ HTTP/1.1" 404 290 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" 24.54.157.86 - - [17/Nov/2004:01:00:32 -0500] "GET /foldoc/ HTTP/1.1" 404 291 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" 24.54.157.86 - - [17/Nov/2004:01:00:32 -0500] "GET /form/ HTTP/1.1" 404 289 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" anyone have any ideas what tool they would have used to do this. none of my other logs show any access so he/she just tried to hit the web app. we are probably going to end up calling the police when my boss wakes up, but i want to get your opinions too.