From owner-freebsd-questions Fri Feb 22 7:39: 7 2002 Delivered-To: freebsd-questions@freebsd.org Received: from nebula.anchoragerescue.org (cable-115-7-237-24.anchorageak.net [24.237.7.115]) by hub.freebsd.org (Postfix) with ESMTP id EFA5837B417 for ; Fri, 22 Feb 2002 07:39:01 -0800 (PST) Received: from there (galaxy.anchoragerescue.org [24.237.7.95]) by nebula.anchoragerescue.org (Postfix) with SMTP id 23072AA; Fri, 22 Feb 2002 06:38:55 -0900 (AKST) Content-Type: text/plain; charset="iso-8859-1" From: Beech Rintoul To: Jim Freeze , freebsd-questions@freebsd.org Subject: Re: Script Kiddies Trying to Hack Me? Date: Fri, 22 Feb 2002 06:38:54 -0900 X-Mailer: KMail [version 1.3] References: <20020222102602.A14033@freebsdportal.com> In-Reply-To: <20020222102602.A14033@freebsdportal.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20020222153855.23072AA@nebula.anchoragerescue.org> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Friday 22 February 2002 06:26 am, Jim Freeze wrote: > Hi: > > I was just browsing my log files on a site/ip address that has > been live less than 12 hrs and came across: > > 63.219.136.226 - - [22/Feb/2002:09:29:18 -0500] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 285 63.219.136.226 - - > [22/Feb/2002:09:29:18 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 283 > 63.219.136.226 - - [22/Feb/2002:09:29:19 -0500] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293 63.219.136.226 - - > [22/Feb/2002:09:29:19 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir > HTTP/1.0" 404 293 63.219.136.226 - - [22/Feb/2002:09:29:19 -0500] "GET > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 " 404 307 > > This looks like someone trying to get access to an NT system command, > and my guess is that they are up to no good. > Is this a fair assumption? I would guess that this is fairly > common and that these guys are scanning new machines all the time. > > Makes me want to be sure that I get a firewall up before I put > a machine on the net. What you're seeing is a code red or nimda scan. Besides filling up your httpd logs, that only affects an unpatched micro$oft IIS server. These days I wouldn't put a machine on the net for 5 minutes without security in place. Beech -- ------------------------------------------------------------------- Beech Rintoul - IT Manager - Instructor - akbeech@anchoragerescue.org /"\ ASCII Ribbon Campaign | Anchorage Gospel Rescue Mission \ / - NO HTML/RTF in e-mail | P.O. Box 230510 X - NO Word docs in e-mail | Anchorage, AK 99523-0510 / \ ----------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message