From owner-freebsd-security Thu Aug 16 23:47:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe66.law12.hotmail.com [64.4.18.201]) by hub.freebsd.org (Postfix) with ESMTP id 454CC37B40F for ; Thu, 16 Aug 2001 23:47:19 -0700 (PDT) (envelope-from default013subscriptions@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 16 Aug 2001 23:47:18 -0700 X-Originating-IP: [24.14.93.185] Reply-To: "default - Subscriptions" From: "default - Subscriptions" To: Subject: Fw: Silly crackers... NT is for kids... - DOH! Date: Fri, 17 Aug 2001 01:47:05 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: X-OriginalArrivalTime: 17 Aug 2001 06:47:18.0494 (UTC) FILETIME=[7546FFE0:01C126E8] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Whoops! As it turns out, I did a bit more research at http://www.eeye.com , and found that this is the CODE RED worm! Wow! This is one mean wormy, well... guess I can at least be relieved that there aren't 5 billion crackers on my I.P. block :) Thanks! Jordan Oh, P.S. If anyone else wants to read up on this, here is what I found: http://www.eeye.com/html/Research/Advisories/AL20010717.html ----- Original Message ----- From: "default - Subscriptions" To: Sent: Friday, August 17, 2001 1:34 AM Subject: Silly crackers... NT is for kids... > Hi, > > Recently hundreds of I.P. addresses have been attempting to use an NT > exploit on my FreeBSD web server as if it were an NT server... Apache logs > the attack like this: > ci9809-a.ruthfd1.tn.home.com - - [17/Aug/2001:00:53:16 -0500] "GET > /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a > HTTP/1.0" 404 276 "-" "-" > > Here's what security tracker has to say about it: > http://securitytracker.com/alerts/2001/Jun/1001788.html > > Apparently this exploits the indexing service in IIS allowing the cracker to > gain SYSTEM access... > > Now, this does absolutely nothing to my server, as it is a FreeBSD machine > which I believe is decently secure even if the attacks were exploits that > worked on FreeBSD (which they do not). > > I have been receiving so many of these lately, that I must almost assume > that it is one person orchestrating the whole attack in a pathetic attempt > to gain access to my machine. Really all it does is pester me by sucking up > a small percentage of my bandwidth, and system resources... > > My question is: Is this a common attack that script kiddies are using right > now? Are lots of people getting attacked in a similar manner? If so, does > anyone know a place where I could get the binary and source code so that I > can take a look at how it works? And what are the rest of you guys doing > about this if anything? > > I have notified the ISPs of the attackers I.P. ranges (mostly AT&T@Home) but > they have done nothing, and have not even replied to my complaints. I have > resorted to running a cron that blocks these I.P. addresses when they first > show their ugly faces... I know that's kindof anal, but I feel that it is a > good precaution because even if it really is hundreds of people, a couple of > them are bound to get wise eventually and try something smarter... > > Anyway, its really starting to bug me, it has been going on for a couple of > weeks now, and I am nearing a total of 300 I.P. addresses as the sources... > most of which are low security NT servers on a commercial network such as > AT&T@Home, and RoadRunner... > > Thanks, > > Jordan > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message