Re: Trying NT Hacks
"Chad R. Larson" wrote: | This is a place where we UNIX users might be able to do the rest of | the world a service. Maybe, but THIS place is FreeBSD-stable and this is NOT the place to continue this thread. Take it where it belongs, please. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
Re: Trying NT Hacks
This thread has nothing to do with stable -- take it to chat, or just drop it. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
Re: Trying NT Hacks
I put up a brand new server with a brand new IP and the attacks were immediate so, I figured they are just running loose in swarms... At 07:02 PM 12.27.2001 -0800, Peter Ong wrote: >Really... I just wonder how they figure out the IPs, other than randomly >guessing. Someone did mention that, and I guess there really aren't that >many IP addresses that a computer could randomly generate in a short amount >of time without covering the whole spectrum. > >Peter >- Original Message - >From: "Julien B." <[EMAIL PROTECTED]> >To: "Peter Ong" <[EMAIL PROTECTED]> >Cc: <[EMAIL PROTECTED]> >Sent: Thursday, December 27, 2001 6:57 PM >Subject: Re: Trying NT Hacks > > >> On Thu, Dec 27, 2001 at 06:39:58PM -0800, Peter Ong wrote: >> > I don't know what it is with some people. I post my site here today >because >> > I was wondering about why the initial page was gibberrish, and then I >get >> > crackers. I finally get home, and I'm reviewing my log files, and I'm >> > seeing some folks trying to use IIS/NT exploits on my FreeBSD machine. >It's >> > infuriating. >> > >> >> My logs are full of these too, and getting bigger and bigger everyday. >Most of >> these "attacks" comes from some Windows worms. I'm totally amazed through, >as >> i get one such connection every 10 minuts, and my web server is not even >> public. >> >> Regards >> >> Julien B >> >> >> > > >To Unsubscribe: send mail to [EMAIL PROTECTED] >with "unsubscribe freebsd-stable" in the body of the message > > Best regards, Jack L. Stone, Server Admin Sage-American http://www.sage-american.com [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
Re: Trying NT Hacks
One thing that works for me is the portsentry. It's pretty simple, but blocks portscans on a large number of ports, can be configured for tcp or udp., etc.. I have noticed an increase in port 111 and 119 attempts since I started posting here.. mostly random people, and I do frequent lookups. If I start getting lots of trash going to the webserver, I just use the firewall rules and block the whole shebang! Works for me... Sam To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
Re: Trying NT Hacks
From: "Peter Ong" <[EMAIL PROTECTED]> Sent: Thursday, December 27, 2001 7:02 PM Subject: Re: Trying NT Hacks > Really... I just wonder how they figure out the IPs, other than randomly > guessing. Someone did mention that, and I guess there really aren't that > many IP addresses that a computer could randomly generate in a short amount > of time without covering the whole spectrum. They are scanning. Nimda doesn't just guess IP's, it tries every single IP in the entire subnet. That is, if your IP address is 192.168.45.23 and you are inftected, your machine will loop through trying to connect (and infect) every IP address from 192.168.0.1 to 192.168.255.254. This can be quite time-consuming (especially if many of those IP's are not online, or dropping packets aimed at port 80 without sending a RST). But the worm isn't really concerned about the efficiency of the machine it infected, or the bandwidth it's wasting, so it turns out to be quite an effective way to spread. --K To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
