Well someone tried another MS exploit on the OpenBSD again last night.  This time it was the Win2K NULL.printer exploit.  Log looks like this:

66.24.106.119 - - [26/Jul/2001:05:18:59 -1000] "GET /NULL.printer HTTP/1.0" 400 324

I also have been getting several attemps to connect to port 111 (rpc) and 53 (dns).  They are both blocked from the outside so no problem.  Stuff like this:

Jul 27 02:46:09 manapua ipmon[3873]: 02:46:08.451611 le0 @0:12 b 211.184.139.130,2117 -> my.external.ip.address,111 PR tcp len 20 60 -S IN 
Jul 27 00:43:18 manapua ipmon[3873]: 00:43:17.326058 le0 @0:12 b 203.200.119.157,4624 -> my.external.ip.address,53 PR udp len 20 58 IN 

I also recieved a few request for is_this_the_index.cfm.  I don't know what this file is, but the are alot of weblog files that have this and a few people asking what it is, but I haven't found out yet.  Anyone else know?  The log entry looks like this:

216.38.169.247 - - [24/Jul/2001:11:41:50 -1000] "GET /is_this_the_index.cfm HTTP/1.0" 404 287

and it is always preceded by this

216.38.169.247 - - [24/Jul/2001:11:41:50 -1000] "GET /is_this_the_index.cfm HTTP/1.0" 404 287

I hope everyone on this list is running a firewall of some sort.  If you don't think you need it check out this http://project.honeynet.org/papers/stats/ they set up a few anonymous systems on the internet and just monitored them to see if they got attacked.  The results are scary.


Dusty