From owner-freebsd-questions Sat Oct 20 14:19: 1 2001 Delivered-To: freebsd-questions@freebsd.org Received: from femail37.sdc1.sfba.home.com (femail37.sdc1.sfba.home.com [24.254.60.31]) by hub.freebsd.org (Postfix) with ESMTP id 6D23937B401 for ; Sat, 20 Oct 2001 14:18:57 -0700 (PDT) Received: from cr347779-a.home.com ([24.68.24.39]) by femail37.sdc1.sfba.home.com (InterMail vM.4.01.03.20 201-229-121-120-20010223) with ESMTP id <20011020211856.VEQE14145.femail37.sdc1.sfba.home.com@cr347779-a.home.com> for ; Sat, 20 Oct 2001 14:18:56 -0700 Message-Id: <5.0.2.1.0.20011020141127.00a191b0@netmail.home.com> X-Sender: mackinnon.m@netmail.home.com X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Sat, 20 Oct 2001 14:34:10 -0500 To: freebsd-questions@FreeBSD.ORG From: Michael MacKinnon Subject: attackers! How do I know whether or not they were successful? In-Reply-To: <001e01c1593e$f1089340$1401a8c0@tedm.placo.com> References: <20011019105246.Q38148-100000@teak.adhesivemedia.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I noticed in my logs what appears to be an attempt to try a buffer overflow in my apache logs. I've included the excerpts from my logs below for reference. My questions: 1) I haven't opened up port 80 with my firewall. How did they connect? Is there a problem with my rules? (I've included those below for reference as well) 2) How can I tell how successful the attempt was? 3) Any ideas what the attempt was trying to do? Is this a known exploit? Where would I find out? 4) What do I do now? Anything else I should do? Thanks for all your help in this. Mike Notes: I have FreeBSD 4.4 recently installed from an iso image. My Firewall Rules: block in on dc0 block in log quick on dc0 from 192.168.0.0/16 to any block in log quick on dc0 from 172.16.0.0/12 to any block in log quick on dc0 from 10.0.0.0/8 to any block in log quick on dc0 from 127.0.0.0/8 to any block in log quick on dc0 from /32 to any # allow my own network stuff to get out pass out quick on dc0 proto tcp/udp from 192.168.0.0/24 to any keep state pass out quick on dc0 proto icmp from 192.168.0.0/24 to any keep state pass out quick on dc0 proto tcp/udp from /32 to any keep state httpd-error contents: [Sat Oct 19 13:25:07 2001] [error] [client 131.123.8.178] Client sent malformed Host header httpd-access contents: 131.123.8.178 - - [19/Oct/2001:13:25:07 -0700] "GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 341 "-" "-" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message