Date: Wed, 17 Nov 2004 01:30:33 -0800 From: Kent Stewart <kbstew01@owt.com> To: freebsd-questions@freebsd.org Cc: Steel City Phantom <scphantm@yahoo.com> Subject: Re: looks like script kiddie tried to get me Message-ID: <200411170130.33962.kbstew01@owt.com> In-Reply-To: <419B06CC.8030107@yahoo.com> References: <419B06CC.8030107@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 17 November 2004 12:07 am, Steel City Phantom wrote: > bsd 4.9, apache 1.3 > > my postnuke started emailing me with hack attempts. i look at my log > and find about a half a meg of where it looks like a script kiddie tried > to poke in the dark at this site. the hits are WAY too close together > to be manual, here is a snip from the log > > 24.54.157.86 - - [17/Nov/2004:01:00:29 -0500] "GET /etc/ HTTP/1.1" 404 > 288 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" > 24.54.157.86 - - [17/Nov/2004:01:00:29 -0500] "GET /example/ HTTP/1.1" > 404 292 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" > 24.54.157.86 - - [17/Nov/2004:01:00:30 -0500] "GET /examples/ HTTP/1.1" > 404 293 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" > 24.54.157.86 - - [17/Nov/2004:01:00:30 -0500] "GET /exc/ HTTP/1.1" 404 > 288 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" > 24.54.157.86 - - [17/Nov/2004:01:00:30 -0500] "GET /excel/ HTTP/1.1" 404 > 290 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" > 24.54.157.86 - - [17/Nov/2004:01:00:30 -0500] "GET /exchange/ HTTP/1.1" > 404 293 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" > 24.54.157.86 - - [17/Nov/2004:01:00:30 -0500] "GET /exe/ HTTP/1.1" 404 > 288 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" > 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] "GET /exec/ HTTP/1.1" 404 > 289 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" > 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] "GET /export/ HTTP/1.1" > 404 291 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" > 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] "GET /external/ HTTP/1.1" > 404 293 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" > 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] "GET /f/ HTTP/1.1" 404 286 > "-" "Mozilla/4.75 [en] (X11, U; Nessus)" > 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] "GET /fbsd/ HTTP/1.1" 404 > 289 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" > 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] "GET /fcgi-bin/ HTTP/1.1" > 404 293 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" > 24.54.157.86 - - [17/Nov/2004:01:00:31 -0500] "GET /file/ HTTP/1.1" 404 > 289 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" > 24.54.157.86 - - [17/Nov/2004:01:00:32 -0500] "GET /filemanager/ > HTTP/1.1" 404 296 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" > 24.54.157.86 - - [17/Nov/2004:01:00:32 -0500] "GET /files/ HTTP/1.1" 404 > 290 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" > 24.54.157.86 - - [17/Nov/2004:01:00:32 -0500] "GET /foldoc/ HTTP/1.1" > 404 291 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" > 24.54.157.86 - - [17/Nov/2004:01:00:32 -0500] "GET /form/ HTTP/1.1" 404 > 289 "-" "Mozilla/4.75 [en] (X11, U; Nessus)" > > anyone have any ideas what tool they would have used to do this. none > of my other logs show any access so he/she just tried to hit the web > app. we are probably going to end up calling the police when my boss > wakes up, but i want to get your opinions too. Well, I don't know about your follow up but I would simply forward what you have to abuse@adelphia.net. That is what shows up for a whois at www.arin.net for that IP address. The ISPs are really good about eliminating problems like this :). Kent
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200411170130.33962.kbstew01>