From owner-freebsd-questions@FreeBSD.ORG Wed Nov 17 18:19:14 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2120416A4D3 for ; Wed, 17 Nov 2004 18:19:14 +0000 (GMT) Received: from freedombi.com (ismerchant.com [207.179.98.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9AD4543D1D for ; Wed, 17 Nov 2004 18:19:13 +0000 (GMT) (envelope-from charles@idealso.com) Received: by freedombi.com (Postfix, from userid 1000) id BBFE2724B8; Wed, 17 Nov 2004 13:19:12 -0500 (EST) Received: from freedombi.com (localhost [192.168.10.108]) by freedombi.com (Postfix) with ESMTP id CFE1E723A1; Wed, 17 Nov 2004 13:19:10 -0500 (EST) Received: from 207.179.91.96 (SquirrelMail authenticated user charles); by freedombi.com with HTTP; Wed, 17 Nov 2004 13:19:10 -0500 (EST) Message-ID: <49385.207.179.91.96.1100715550.squirrel@207.179.91.96> In-Reply-To: <419B06CC.8030107@yahoo.com> References: <419B06CC.8030107@yahoo.com> Date: Wed, 17 Nov 2004 13:19:10 -0500 (EST) From: "Charles Ulrich" To: "Steel City Phantom" User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on freedombi.com X-Spam-Level: X-Spam-Status: No, hits=0.0 required=7.0 tests=none autolearn=no version=2.63 cc: freebsd-questions@freebsd.org Subject: Re: looks like script kiddie tried to get me X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Nov 2004 18:19:14 -0000 Steel City Phantom said: > bsd 4.9, apache 1.3 > > my postnuke started emailing me with hack attempts. i look at my log > and find about a half a meg of where it looks like a script kiddie tried > to poke in the dark at this site. the hits are WAY too close together > to be manual, here is a snip from the log [snip] > anyone have any ideas what tool they would have used to do this. none > of my other logs show any access so he/she just tried to hit the web > app. we are probably going to end up calling the police when my boss > wakes up, but i want to get your opinions too. If you have a public web server, you're going to get attacks like these just as sure as you'll get spam sent to a public email address. Calling the police is likely just going to waste both their time and yours as 1) most police departments do not have the tools or experience to investigate network intrusion attempts, 2) script kiddies, while lacking in the brain cell department, are usually smart enough not to launch attacks from their own system, and 3) the attack didn't succeed and as far as you know, no damage was done. The best thing to do is just keep your server patched and remain diligent. Another person recommended contacting the abuse department of the ISP. That couldn't hurt if you consider it worth your time. -- Charles Ulrich Ideal Solution, LLC - http://www.idealso.com