From owner-freebsd-security Thu Aug 16 23:35: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe41.law12.hotmail.com [64.4.18.98]) by hub.freebsd.org (Postfix) with ESMTP id E41C537B408 for ; Thu, 16 Aug 2001 23:35:01 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 16 Aug 2001 23:35:01 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default - Subscriptions" From: "default - Subscriptions" To: Subject: Silly crackers... NT is for kids... Date: Fri, 17 Aug 2001 01:34:48 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: X-OriginalArrivalTime: 17 Aug 2001 06:35:01.0691 (UTC) FILETIME=[BE1BC8B0:01C126E6] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Recently hundreds of I.P. addresses have been attempting to use an NT exploit on my FreeBSD web server as if it were an NT server... Apache logs the attack like this: ci9809-a.ruthfd1.tn.home.com - - [17/Aug/2001:00:53:16 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 276 "-" "-" Here's what security tracker has to say about it: http://securitytracker.com/alerts/2001/Jun/1001788.html Apparently this exploits the indexing service in IIS allowing the cracker to gain SYSTEM access... Now, this does absolutely nothing to my server, as it is a FreeBSD machine which I believe is decently secure even if the attacks were exploits that worked on FreeBSD (which they do not). I have been receiving so many of these lately, that I must almost assume that it is one person orchestrating the whole attack in a pathetic attempt to gain access to my machine. Really all it does is pester me by sucking up a small percentage of my bandwidth, and system resources... My question is: Is this a common attack that script kiddies are using right now? Are lots of people getting attacked in a similar manner? If so, does anyone know a place where I could get the binary and source code so that I can take a look at how it works? And what are the rest of you guys doing about this if anything? I have notified the ISPs of the attackers I.P. ranges (mostly AT&T@Home) but they have done nothing, and have not even replied to my complaints. I have resorted to running a cron that blocks these I.P. addresses when they first show their ugly faces... I know that's kindof anal, but I feel that it is a good precaution because even if it really is hundreds of people, a couple of them are bound to get wise eventually and try something smarter... Anyway, its really starting to bug me, it has been going on for a couple of weeks now, and I am nearing a total of 300 I.P. addresses as the sources... most of which are low security NT servers on a commercial network such as AT&T@Home, and RoadRunner... Thanks, Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message