From owner-freebsd-stable Sun Dec 30 22:15:17 2001 Delivered-To: freebsd-stable@freebsd.org Received: from freeway.dcfinc.com (cx74889-a.phnx3.az.home.com [24.1.193.157]) by hub.freebsd.org (Postfix) with ESMTP id DA70537B42B for ; Sun, 30 Dec 2001 22:15:14 -0800 (PST) Received: (from chad@localhost) by freeway.dcfinc.com (8.8.8/8.8.8) id XAA27316; Sun, 30 Dec 2001 23:15:03 -0700 (MST) (envelope-from chad) Date: Sun, 30 Dec 2001 23:15:03 -0700 From: "Chad R. Larson" To: Ulf Zimmermann Cc: Peter Ong , "Julien B." , freebsd-stable@FreeBSD.ORG Subject: Re: Trying NT Hacks Message-ID: <20011230231503.C27209@freeway.dcfinc.com> References: <013a01c18f48$f156cf20$0101a8c0@haloflightleader.net> <20011228035757.A99350@harimandir> <018901c18f4c$22402480$0101a8c0@haloflightleader.net> <20011227191144.X90222@seven.alameda.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011227191144.X90222@seven.alameda.net>; from ulf@Alameda.net on Thu, Dec 27, 2001 at 07:11:44PM -0800 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Dec 27, 2001 at 07:11:44PM -0800, Ulf Zimmermann wrote: > Nimda for example is scanning anything from the infected hosts > /16 address space. For example your machine is in the > 64.81.0.0/16 address block (Speakeasy DSL), then that infected > machine would scan all those ips for more unsecured IIS to > spread more. Since I've got no accursed Microsoft products anywhere near my publicly visable systems, a simple grep for "default" in the httpd access logs will do it. -crl -- Chad R. Larson (CRL15) 602-953-1392 Brother, can you paradigm? chad@dcfinc.com chad@larsons.org larson1@home.com DCF, Inc. - 14623 North 49th Place, Scottsdale, Arizona 85254-2207 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message