From owner-freebsd-security Fri Aug 17 3:20:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from broadweb.com.tw (nat.broadweb.com.tw [211.75.42.222]) by hub.freebsd.org (Postfix) with ESMTP id 8743C37B401 for ; Fri, 17 Aug 2001 03:20:13 -0700 (PDT) (envelope-from roger@broadweb.com.tw) Received: from meteor ([192.168.168.71]) by broadweb.com.tw (8.9.3/8.9.3) with SMTP id OAA23056 for ; Fri, 17 Aug 2001 14:41:14 +0800 From: "Roger Chien" To: Subject: Re: Silly crackers... NT is for kids... Date: Fri, 17 Aug 2001 14:50:21 +0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Don't you know that the effect of Code Red infected machine? Most of them are innocent. BTW, your FreeBSD isn't absolutely secure, apply telnet-AYT patch already? >Subject: Silly crackers... NT is for kids... > > >Hi, > >Recently hundreds of I.P. addresses have been attempting to use an NT >exploit on my FreeBSD web server as if it were an NT server... Apache logs >the attack like this: >ci9809-a.ruthfd1.tn.home.com - - [17/Aug/2001:00:53:16 -0500] "GET >/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX >XXXXXXXXX >XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX >XXXXXXXXX >XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX >XXXXXXXXX >XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u68 >58%ucbd3% >u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a >HTTP/1.0" 404 276 "-" "-" > >Here's what security tracker has to say about it: >http://securitytracker.com/alerts/2001/Jun/1001788.html > >Apparently this exploits the indexing service in IIS allowing the >cracker to >gain SYSTEM access... > >Now, this does absolutely nothing to my server, as it is a FreeBSD machine >which I believe is decently secure even if the attacks were exploits that >worked on FreeBSD (which they do not). >Anyway, its really starting to bug me, it has been going on for a couple of >weeks now, and I am nearing a total of 300 I.P. addresses as the sources... >most of which are low security NT servers on a commercial network such as >AT&T@Home, and RoadRunner... > >Thanks, > >Jordan > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message