Date: Fri, 17 Aug 2001 01:34:48 -0500 From: "default - Subscriptions" <default013subscriptions@hotmail.com> To: <freebsd-security@freebsd.org> Subject: Silly crackers... NT is for kids... Message-ID: <OE41KHmj9n1xxWn9R6m0000d975@hotmail.com>
next in thread | raw e-mail | index | archive | help
Hi, Recently hundreds of I.P. addresses have been attempting to use an NT exploit on my FreeBSD web server as if it were an NT server... Apache logs the attack like this: ci9809-a.ruthfd1.tn.home.com - - [17/Aug/2001:00:53:16 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3% u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 276 "-" "-" Here's what security tracker has to say about it: http://securitytracker.com/alerts/2001/Jun/1001788.html Apparently this exploits the indexing service in IIS allowing the cracker to gain SYSTEM access... Now, this does absolutely nothing to my server, as it is a FreeBSD machine which I believe is decently secure even if the attacks were exploits that worked on FreeBSD (which they do not). I have been receiving so many of these lately, that I must almost assume that it is one person orchestrating the whole attack in a pathetic attempt to gain access to my machine. Really all it does is pester me by sucking up a small percentage of my bandwidth, and system resources... My question is: Is this a common attack that script kiddies are using right now? Are lots of people getting attacked in a similar manner? If so, does anyone know a place where I could get the binary and source code so that I can take a look at how it works? And what are the rest of you guys doing about this if anything? I have notified the ISPs of the attackers I.P. ranges (mostly AT&T@Home) but they have done nothing, and have not even replied to my complaints. I have resorted to running a cron that blocks these I.P. addresses when they first show their ugly faces... I know that's kindof anal, but I feel that it is a good precaution because even if it really is hundreds of people, a couple of them are bound to get wise eventually and try something smarter... Anyway, its really starting to bug me, it has been going on for a couple of weeks now, and I am nearing a total of 300 I.P. addresses as the sources... most of which are low security NT servers on a commercial network such as AT&T@Home, and RoadRunner... Thanks, Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OE41KHmj9n1xxWn9R6m0000d975>