From owner-freebsd-questions Wed Nov 14 9:54:32 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail-relay1.mirrorimage.net (mail-relay1.mirrorimage.net [209.58.140.11]) by hub.freebsd.org (Postfix) with ESMTP id 5EAFF37B417 for ; Wed, 14 Nov 2001 09:54:28 -0800 (PST) Received: from leblanc.mirrorimage.net (leblanc.mirrorimage.net [209.192.210.146]) by mail-relay1.mirrorimage.net (8.9.3/8.9.3) with ESMTP id MAA24356 for ; Wed, 14 Nov 2001 12:53:35 -0500 Received: (from leblanc@localhost) by leblanc.mirrorimage.net (8.11.6/8.11.4) id fAEHtN140559 for freebsd-questions@FreeBSD.ORG; Wed, 14 Nov 2001 12:55:23 -0500 (EST) (envelope-from leblanc) Date: Wed, 14 Nov 2001 12:55:23 -0500 From: Louis LeBlanc To: freebsd-questions@FreeBSD.ORG Subject: Re: Do these errors mean my system is comprimised? Message-ID: <20011114175522.GB38737@keyslapper.org> Reply-To: freebsd-questions@FreeBSD.ORG Mail-Followup-To: freebsd-questions@FreeBSD.ORG References: <200111140636.fAE6aEv01550@lv.raad.tartu.ee> <0111132304280G.60958@chip.wiegand.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="JYK4vJDZwFMowpUq" Content-Disposition: inline In-Reply-To: <0111132304280G.60958@chip.wiegand.org> User-Agent: Mutt/1.3.23.1i X-bright-idea: Lets abolish HTML mail! Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --JYK4vJDZwFMowpUq Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 11/13/01 11:04 PM, Chip sat at the `puter and typed: > On Tuesday 13 November 2001 22:35, Toomas Aas wrote: > > Hi Chip! > > > > On 13 Nov 01 at 19:38 you wrote: > > > I found the following on my apache/freebsd/php/mysql server in my log > > > after running analog - > > > Looks like someone planted something that wants NT to work correctly - > > > > > > 111: /scripts/..%255c../winnt/system32/cmd.exe > > > 111: /scripts/..%255c../winnt/system32/cmd.exe?/c+dir > > > 106: /scripts/..%5c../winnt/system32/cmd.exe > > > > [...snip...] > > > > Someone attempted to exploit the Nimda worm against your server. > > Since you are not running Microsoft IIS (I hope!),=20 >=20 > Heck no! Not on my life! Heh, heh. I have apache on FreeBSD (see above). > I have to put up with IIS at work, and what an unreliable piece it is! I = also=20 Hence the 'aftermarket acronyms' IIS -> It Isn't Secure. IIS -> It Isn't Stable. =2E . . :D > have an apache server at work, and it just keeps going, and going, and go= ing.=20 > Heh heh. :-) Yup. I have to restart mine because I get renumbered from time to time, but that's it. L --=20 Louis LeBlanc leblanc@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org =D4=BF=D4=AC Live long and prosper. -- Spock, "Amok Time", stardate 3372.7 --JYK4vJDZwFMowpUq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE78rAKeAPWYrNkRWIRAg9lAJwKk4vM27YCLfD7j9zBtoyjlkRlwwCfZhA/ OD4VpLne//VeUwZfh1Yh464= =P+WG -----END PGP SIGNATURE----- --JYK4vJDZwFMowpUq-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message