On the subject of Crackers. Note this IP block owned by ATT 12.234.0.0/24 If been getting hit heavily from there by a number of compromised M$ boxes. I've alerted ATT but so far no answer, (it is Sunday though). So for the moment I'm blocking the entire IP block. . It's coming from NJ. See the logs snippet below.
12.234.131.80 - - [28/Jul/2002:18:16:39 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 285 12.234.131.80 - - [28/Jul/2002:18:16:45 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 283 12.234.131.80 - - [28/Jul/2002:18:16:51 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293 12.234.131.80 - - [28/Jul/2002:18:39:10 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 285 12.234.131.80 - - [28/Jul/2002:18:39:17 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 283 12.234.131.80 - - [28/Jul/2002:18:39:24 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293 12.234.131.80 - - [28/Jul/2002:18:39:31 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 293 12.234.131.80 - - [28/Jul/2002:18:39:36 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 307 Seems that once I blocked one site ... a new one would come along withing minutes I'm now blocking via my firewalls as well as IPTables on the webservers. Crude but effective. James On Sun, 28 Jul 2002 21:06:25 -0400 Jason Bowman <[EMAIL PROTECTED]> wrote: > On Monday 29 July 2002 02:10 am, James Sparenberg wrote: > > David > > > > If you find Tripwire a bit much to install you might look > > at Snort (from freshmeat) it's a little less of a hassle to > > install and is on par with the free version of TripWire. > > > > James > > > > Maybe you ment something like AIDE? Snort is a NIDS (Network > Intrusion Detection System)... tripwire and AIDE are file > integrety checkers. See http://freshmeat.net/projects/aide/ > > - Jason B. > > > >
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com