From owner-freebsd-questions Mon Oct 22 14:26:22 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail-relay1.mirrorimage.net (mail-relay1.mirrorimage.net [209.58.140.11]) by hub.freebsd.org (Postfix) with ESMTP id 0EC0E37B40C for ; Mon, 22 Oct 2001 14:26:16 -0700 (PDT) Received: from leblanc.mirrorimage.net (leblanc.mirrorimage.net [209.192.210.146]) by mail-relay1.mirrorimage.net (8.9.3/8.9.3) with ESMTP id RAA27014 for ; Mon, 22 Oct 2001 17:26:15 -0400 Received: (from leblanc@localhost) by leblanc.mirrorimage.net (8.11.6/8.11.4) id f9MLRAU36261 for freebsd-questions@FreeBSD.org; Mon, 22 Oct 2001 17:27:10 -0400 (EDT) (envelope-from leblanc) Date: Mon, 22 Oct 2001 17:27:10 -0400 From: Louis LeBlanc To: freebsd-questions@FreeBSD.org Subject: Re: attackers! How do I know whether or not they were successful? Message-ID: <20011022172710.A36179@acadia.ne.mediaone.net> Reply-To: freebsd-questions@FreeBSD.org Mail-Followup-To: freebsd-questions@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <5.0.2.1.0.20011020141127.00a191b0@netmail.home.com> User-Agent: Mutt/1.3.23i X-bright-idea: Lets abolish HTML mail! Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Sorry I don't have the actual message to reply to, but I got kicked off the list this weekend because my ISP hosed its dns server . Anyone know of a dns service that can serve a domain to a DHCP IP? Anyway, here is the message quoted from the Archives: ------------------------------------------------------------------ > Date: Sat, 20 Oct 2001 14:34:10 -0500 > From: Michael MacKinnon > To: freebsd-questions@FreeBSD.ORG > Subject: attackers! How do I know whether or not they were successful? > Message-ID: <5.0.2.1.0.20011020141127.00a191b0@netmail.home.com> > I noticed in my logs what appears to be an attempt to try a buffer > overflow in my apache logs. > I've included the excerpts from my logs below for reference. > My questions: > 1) I haven't opened up port 80 with my firewall. How did they connect? > Is there > a problem with my rules? (I've included those below for reference as > well) I looked at the log entry. Is this the only one you got? did you get any looking for any 'root.exe' or 'shell.exe' or such things? Those would likely be the Nimda worm trying to spread. What you have is the CodeRed or CodeRed II worm as someone else already suggested. You can ignore this if you like or you can handle it by reporting it to the abuse authorities for that domain. They will (presumably) inform someone administering the machine that it is infected. > 2) How can I tell how successful the attempt was? It wasn't if you are not running IIS on a Win$ O$. > 3) Any ideas what the attempt was trying to do? Is this a known > exploit? Where would I find out? Someone else gave you a good link. You can also get a bit of info here: http://acadia.ne.mediaone.net/Nimda/ It was offline this past weekend, thanks to my ISP, but it's back. I also have links to the handlers that would automatically send complaints to the abuse authorities. > 4) What do I do now? Anything else I should do? You can handle it or ignore it. Won't matter. If you run a lightly loaded server, I'd suggest helping to keep the infections reported with one or both of the handlers you can see at the link above. If you are running a heavily loaded server, just use the suggestions on that page to eliminate the log file overflow that will result from the two worms (especially Nimda). > My Firewall Rules: > block in on dc0 > block in log quick on dc0 from 192.168.0.0/16 to any > block in log quick on dc0 from 172.16.0.0/12 to any > block in log quick on dc0 from 10.0.0.0/8 to any > block in log quick on dc0 from 127.0.0.0/8 to any > block in log quick on dc0 from /32 to any > # allow my own network stuff to get out > pass out quick on dc0 proto tcp/udp from 192.168.0.0/24 to any > keep state > pass out quick on dc0 proto icmp from 192.168.0.0/24 to any > keep state > pass out quick on dc0 proto tcp/udp from /32 to any > keep state Someone else already mentioned the kernel default behavior. You should have the default set to deny so that you can explicitly allow only what you want thru. Try looking at the cheat sheets at http://www.mostgraveconcern.com/freebsd/ I found them most helpful. > httpd-error contents: > [Sat Oct 19 13:25:07 2001] [error] [client 131.123.8.178] Client sent > malformed Host header > > httpd-access contents: > 131.123.8.178 - - [19/Oct/2001:13:25:07 -0700] "GET > /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090% > u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u > 0000%u00=a HTTP/1.0" 400 341 "-" "-" Yup. That's CodeRed. I'm surprised there are any of these still out there. I haven't seen one since 10/10. I think most of them have either been cleaned out or taken over by Nimda. That one's worse because it can spread so many different ways, and it uses roughly 16 separate URLs to try to get into an IIS server. Good luck Lou -- Louis LeBlanc leblanc@acadia.ne.mediaone.net Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://acadia.ne.mediaone.net ԿԬ Too much is just enough. -- Mark Twain, on whiskey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message