more attacks

Fri Jul 27 19:34:53 PDT 2001

ok Dusty, im a bit leary about posting my ip here on the list, is it ok to
do so? and this is what i do have: both servers are FreeBSD4.3 that sit
behind a linksys router/switch that does NAT. and unfortunately that is
about the extent of my protection, as for sendmail, i am thinking of
switching to qmail this weekend to try and shore up that gaping hole, i
subscibed to the qmail mailing list, but that has degenerated into a flame
war over linux and windows, uff. I am open to any suggestions you or the
list has. I would be interested in your script if you share your work. I
also have shutdown the telnet and ftp ports. My biggest concern is i am not
able to tell if my servers have already been compromised and if so how to
reverse it.

Jon

-----Original Message-----
From: Dusty [mailto:dusty at sandust.com]
Sent: Friday, July 27, 2001 11:46 AM
To: Linux & Unix Advocates & Users
Subject: [luau] RE: more attacks

I just have a simple little perl scipt that turns all of my log files into
webpages every 10 minutes.  Then every now and then I just https to my
website and look at them.  Nothing too fancy and I don't have an IDS
running, which I probabally should.

I could look at it, not right now, but tonight.  What is the IP?  A couple
things I would sugest without ever seeing the system is FIREWALL, FIREWALL,
FIREWALL!!!  I hope that you have Netfilter running on there (I assume it is
Linux).  If not first thing we need to get that configured.  there should be
no reason to be able to access your DNS from the internet.  Only systems on
your internal network should have that access, so you want to block port 53
from the external interface.  There are several exploits for DNS.  Sendmail
also has a lot of vulnerabilities.

Dusty

---------------------------------------------------
>
> hey Dusty, what do you use to watch your systems? I have a dns and a
> web/mail server and am not real sure how to watch them. Could you maybe
try
> and access them from where you are and let me know of any vulnerabilities?
>
> Jon
>
> -----Original Message-----
> From: Dusty [mailto:dusty at sandust.com]
> Sent: Friday, July 27, 2001 11:01 AM
> To: Linux & Unix Advocates & Users
> Subject: [luau] more attacks
>
>
> Well someone tried another MS exploit on the OpenBSD again last night.
This
> time it was the Win2K NULL.printer exploit.  Log looks like this:
>
> 66.24.106.119 - - [26/Jul/2001:05:18:59 -1000] "GET /NULL.printer
HTTP/1.0"
> 400 324
>
> I also have been getting several attemps to connect to port 111 (rpc) and
53
> (dns).  They are both blocked from the outside so no problem.  Stuff like
> this:
>
> Jul 27 02:46:09 manapua ipmon[3873]: 02:46:08.451611 le0 @0:12 b
> 211.184.139.130,2117 -> my.external.ip.address,111 PR tcp len 20 60 -S IN
> Jul 27 00:43:18 manapua ipmon[3873]: 00:43:17.326058 le0 @0:12 b
> 203.200.119.157,4624 -> my.external.ip.address,53 PR udp len 20 58 IN
>
> I also recieved a few request for is_this_the_index.cfm.  I don't know
what
> this file is, but the are alot of weblog files that have this and a few
> people asking what it is, but I haven't found out yet.  Anyone else know?
> The log entry looks like this:
>
> 216.38.169.247 - - [24/Jul/2001:11:41:50 -1000] "GET
/is_this_the_index.cfm
> HTTP/1.0" 404 287
>
> and it is always preceded by this
>
> 216.38.169.247 - - [24/Jul/2001:11:41:50 -1000] "GET
/is_this_the_index.cfm
> HTTP/1.0" 404 287
>
> I hope everyone on this list is running a firewall of some sort.  If you
> don't think you need it check out this
> http://project.honeynet.org/papers/stats/ they set up a few anonymous
> systems on the internet and just monitored them to see if they got
attacked.
> The results are scary.
>
>
> Dusty
>
> ---
> You are currently subscribed to luau as: proteon at gci.net
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
>
> ---
> You are currently subscribed to luau as: dusty at sandust.com
> To unsubscribe send a blank email to $subst('Email.Unsub')

---
You are currently subscribed to luau as: proteon at gci.net
To unsubscribe send a blank email to $subst('Email.Unsub')