From owner-freebsd-security Sat Jul 21 12: 0:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id 75A7137B403 for ; Sat, 21 Jul 2001 12:00:53 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from cascade (cascade.veldy.net [192.168.1.1]) by veldy.net (Postfix) with SMTP id B9D78BAA8; Sat, 21 Jul 2001 14:00:52 -0500 (CDT) Message-ID: <004601c11217$7e416fd0$0101a8c0@cascade> From: "Thomas T. Veldhouse" To: "David Powers" , References: <00b401c11182$fb2f8260$0401a8c0@swbell.net> Subject: Re: Recent probes Date: Sat, 21 Jul 2001 14:01:05 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yeah -- there is an IIS exploit that they seem to try on ALL server. It will incidentally drop a Cisco 67x DSL router if it hasn't been updated to the latest CBOS and the web management interface is enabled. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "David Powers" To: Sent: Friday, July 20, 2001 8:17 PM Subject: Recent probes > I have been getting a rash of probes to TCP/80 recently, is there a recent > issue that they might be trying to exploit? Below is the data on the probes > origination. > > /kernel: ipfw: 65435 Deny TCP 203.126.35.77:2543 64.218.90.203:80 in via > tun0 > > ; <<>> DiG 8.3 <<>> -x > ;; res options: init recurs defnam dnsrch > ;; got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > ;; QUERY SECTION: > ;; 77.35.126.203.in-addr.arpa, type = ANY, class = IN > > ;; AUTHORITY SECTION: > 35.126.203.in-addr.arpa. 1D IN SOA dnspri.singnet.com.sg. > hostmaster.singnet.com.sg. ( > 2000101700 ; serial > 30M ; refresh > 15M ; retry > 1W ; expiry > 1D ) ; minimum > > inetnum: 203.126.35.64 - 203.126.35.95 > netname: SUNRIGHT-SG > descr: SunRight Limited > descr: 1093 Lower Delta Road > descr: #02-01/08 > descr: Singapore 169204 > country: SG > admin-c: SAT1-AP > tech-c: SH9-AP > rev-srv: dnssec1.singnet.com.sg > rev-srv: dnssec2.singnet.com.sg > rev-srv: dnssec3.singnet.com.sg > notify: hostmaster@singnet.com.sg > mnt-by: MAINT-SG-SINGNET > changed: hostmaster@singnet.com.sg 20001016 > source: APNIC > > person: Sim Ah Tee > address: SunRight Limited > address: 1093 Lower Delta Road > address: #02-01/08 > address: Singapore 169204 > phone: +65 3749553 > fax-no: +65 2768426 > e-mail: srmis@pacific.net.sg > nic-hdl: SAT1-AP > notify: hostmaster@singnet.com.sg > mnt-by: MAINT-SG-SINGNET > changed: hostmaster@singnet.com.sg 20001016 > source: APNIC > > person: SingNet Hostmaster > address: SingNet Engineering & Operations > address: 2 Stirling Road > address: #03-00 Queenstown Exchange > address: Singapore 148943 > phone: +65 7845922 > fax-no: +65 4753273 > e-mail: hostmaster@singnet.com.sg > nic-hdl: SH9-AP > notify: hostmaster@singnet.com.sg > mnt-by: MAINT-SG-SINGNET > changed: hostmaster@singnet.com.sg 20000921 > source: APNIC > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message