From owner-freebsd-security Fri Aug 17 8:26:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from isber.ucsb.edu (research.isber.ucsb.edu [128.111.147.5]) by hub.freebsd.org (Postfix) with ESMTP id 15BA937B409 for ; Fri, 17 Aug 2001 08:26:17 -0700 (PDT) (envelope-from randall@isber.ucsb.edu) Received: from casino.isber.ucsb.edu ([128.111.147.11] helo=isber.ucsb.edu) by isber.ucsb.edu with esmtp (Exim 3.32 #4) id 15XlVo-0007sg-00; Fri, 17 Aug 2001 08:26:16 -0700 Message-ID: <3B7D3797.ED5ED033@isber.ucsb.edu> Date: Fri, 17 Aug 2001 08:26:15 -0700 From: randall ehren Reply-To: randall@isber.ucsb.edu Organization: isber.ucsb.edu X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Cc: Steve McGhee Subject: Re: [Fwd: Silly crackers... NT is for kids...] References: <3B7D33B0.E584E835@lmri.ucsb.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hey, i have several freebsd web servers getting attacked all day long. they are basically hitting anything with port 80 open (hp jet admin boxes as well) it may not be the most polite thing, and i have yet to test it, but there are a few people making little scripts to "get back" at them... http://members.shaw.ca/jobeus/codered.htm is one example. there was a post on slashdot.org a few days back with another version... http://www.dasbistro.com/default_ida_info.html the article was: http://slashdot.org/article.pl?sid=01/08/11/1420207&mode=nested -- - randall s. ehren -=- 805 893-5632 system administrator -=- isber.ucsb.edu institute for social, behavioral, and economic research randall.cell@isber.ucsb.edu freebsd-security@freebsd.org > > Recently hundreds of I.P. addresses have been attempting to use an NT > exploit on my FreeBSD web server as if it were an NT server... Apache > logs > the attack like this: > ci9809-a.ruthfd1.tn.home.com - - [17/Aug/2001:00:53:16 -0500] "GET > /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% > u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a > HTTP/1.0" 404 276 "-" "-" > > > I have been receiving so many of these lately, that I must almost assume > that it is one person orchestrating the whole attack in a pathetic > attempt > to gain access to my machine. Really all it does is pester me by sucking > up > a small percentage of my bandwidth, and system resources... > > My question is: Is this a common attack that script kiddies are using > right > now? Are lots of people getting attacked in a similar manner? If so, > does > anyone know a place where I could get the binary and source code so that > I > can take a look at how it works? And what are the rest of you guys doing > about this if anything? > > I have notified the ISPs of the attackers I.P. ranges (mostly AT&T@Home) > but > they have done nothing, and have not even replied to my complaints. I > have > resorted to running a cron that blocks these I.P. addresses when they > first > show their ugly faces... I know that's kindof anal, but I feel that it > is a > good precaution because even if it really is hundreds of people, a > couple of > them are bound to get wise eventually and try something smarter... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message