I just have a simple little perl scipt that turns all of my log files into webpages every 10 minutes. Then every now and then I just https to my website and look at them. Nothing too fancy and I don't have an IDS running, which I probabally should. I could look at it, not right now, but tonight. What is the IP? A couple things I would sugest without ever seeing the system is FIREWALL, FIREWALL, FIREWALL!!! I hope that you have Netfilter running on there (I assume it is Linux). If not first thing we need to get that configured. there should be no reason to be able to access your DNS from the internet. Only systems on your internal network should have that access, so you want to block port 53 from the external interface. There are several exploits for DNS. Sendmail also has a lot of vulnerabilities. Dusty --------------------------------------------------- > > hey Dusty, what do you use to watch your systems? I have a dns and a > web/mail server and am not real sure how to watch them. Could you maybe try > and access them from where you are and let me know of any vulnerabilities? > > Jon > > -----Original Message----- > From: Dusty [mailto:dusty@sandust.com] > Sent: Friday, July 27, 2001 11:01 AM > To: Linux & Unix Advocates & Users > Subject: [luau] more attacks > > > Well someone tried another MS exploit on the OpenBSD again last night. This > time it was the Win2K NULL.printer exploit. Log looks like this: > > 66.24.106.119 - - [26/Jul/2001:05:18:59 -1000] "GET /NULL.printer HTTP/1.0" > 400 324 > > I also have been getting several attemps to connect to port 111 (rpc) and 53 > (dns). They are both blocked from the outside so no problem. Stuff like > this: > > Jul 27 02:46:09 manapua ipmon[3873]: 02:46:08.451611 le0 @0:12 b > 211.184.139.130,2117 -> my.external.ip.address,111 PR tcp len 20 60 -S IN > Jul 27 00:43:18 manapua ipmon[3873]: 00:43:17.326058 le0 @0:12 b > 203.200.119.157,4624 -> my.external.ip.address,53 PR udp len 20 58 IN > > I also recieved a few request for is_this_the_index.cfm. I don't know what > this file is, but the are alot of weblog files that have this and a few > people asking what it is, but I haven't found out yet. Anyone else know? > The log entry looks like this: > > 216.38.169.247 - - [24/Jul/2001:11:41:50 -1000] "GET /is_this_the_index.cfm > HTTP/1.0" 404 287 > > and it is always preceded by this > > 216.38.169.247 - - [24/Jul/2001:11:41:50 -1000] "GET /is_this_the_index.cfm > HTTP/1.0" 404 287 > > I hope everyone on this list is running a firewall of some sort. If you > don't think you need it check out this > http://project.honeynet.org/papers/stats/ they set up a few anonymous > systems on the internet and just monitored them to see if they got attacked. > The results are scary. > > > Dusty > > --- > You are currently subscribed to luau as: proteon@gci.net > To unsubscribe send a blank email to $subst('Email.Unsub') > > > --- > You are currently subscribed to luau as: dusty@sandust.com > To unsubscribe send a blank email to $subst('Email.Unsub')