From owner-freebsd-security Thu Aug 16 23:47:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta03.mail.mel.aone.net.au (mta03.mail.au.uu.net [203.2.192.83]) by hub.freebsd.org (Postfix) with ESMTP id 8D2E137B40D for ; Thu, 16 Aug 2001 23:46:59 -0700 (PDT) (envelope-from ferni@shafted.com.au) Received: from fernilaptop ([63.34.220.228]) by mta03.mail.mel.aone.net.au with SMTP id <20010817064657.XHXZ23992.mta03.mail.mel.aone.net.au@fernilaptop> for ; Fri, 17 Aug 2001 16:46:57 +1000 Message-ID: <004701c126e8$38d006b0$240aa8c0@fernilaptop> Reply-To: "Andrew Dean" From: "Andrew Dean" To: References: Subject: Re: Silly crackers... NT is for kids... Date: Fri, 17 Aug 2001 16:45:36 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Isn't that the code red worm? *feels dumb* ----- Original Message ----- From: "default - Subscriptions" To: Sent: Friday, August 17, 2001 4:34 PM Subject: Silly crackers... NT is for kids... > Hi, > > Recently hundreds of I.P. addresses have been attempting to use an NT > exploit on my FreeBSD web server as if it were an NT server... Apache logs > the attack like this: > ci9809-a.ruthfd1.tn.home.com - - [17/Aug/2001:00:53:16 -0500] "GET > /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a > HTTP/1.0" 404 276 "-" "-" > > Here's what security tracker has to say about it: > http://securitytracker.com/alerts/2001/Jun/1001788.html > > Apparently this exploits the indexing service in IIS allowing the cracker to > gain SYSTEM access... > > Now, this does absolutely nothing to my server, as it is a FreeBSD machine > which I believe is decently secure even if the attacks were exploits that > worked on FreeBSD (which they do not). > > I have been receiving so many of these lately, that I must almost assume > that it is one person orchestrating the whole attack in a pathetic attempt > to gain access to my machine. Really all it does is pester me by sucking up > a small percentage of my bandwidth, and system resources... > > My question is: Is this a common attack that script kiddies are using right > now? Are lots of people getting attacked in a similar manner? If so, does > anyone know a place where I could get the binary and source code so that I > can take a look at how it works? And what are the rest of you guys doing > about this if anything? > > I have notified the ISPs of the attackers I.P. ranges (mostly AT&T@Home) but > they have done nothing, and have not even replied to my complaints. I have > resorted to running a cron that blocks these I.P. addresses when they first > show their ugly faces... I know that's kindof anal, but I feel that it is a > good precaution because even if it really is hundreds of people, a couple of > them are bound to get wise eventually and try something smarter... > > Anyway, its really starting to bug me, it has been going on for a couple of > weeks now, and I am nearing a total of 300 I.P. addresses as the sources... > most of which are low security NT servers on a commercial network such as > AT&T@Home, and RoadRunner... > > Thanks, > > Jordan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message