RE: attempted exploits
rotflol, I called the guy who owned this box (hit their web server got their phone number phone menus etc) and it was hilarious. I told him either someone is at his office screwing around or his box has been compromised. I portscanned his box and noticed how wide open it was so this was the assumption I followed. on top of the fact that I am not on his broadcast domain so its not regular windows NETBIOS Spam. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jarrod Sayers Sent: Sunday, March 24, 2002 9:58 PM To: '[EMAIL PROTECTED]'; FreeBSD-STABLE Subject: RE: attempted exploits Welcome back Nimda! We have noticed a sharp rise in the number of attacks starting over the weekend here. Jarrod Sayers Information Technology Services Unit University of South Australia, Magill Campus. Phone: +61 8 8302 4809 http://people.unisa.edu.au/jarrod.sayers > -Original Message- > From: Jesse Geddis [mailto:[EMAIL PROTECTED]] > Sent: Monday, 25 March 2002 4:23 PM > To: FreeBSD-STABLE > Subject: attempted exploits > > > wow, this person is quite effective. they've been trying this since > this morning 4mins after i got my web server up. been doing it every > half hour for 7 hours lol. trying to execute arbitrary Windows code on > a FreeBSD server! > > [Sun Mar 24 20:41:55 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/scripts/..Á../winnt/system32/cmd.exe > [Sun Mar 24 20:42:05 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/scripts/..À¯../winnt/system32/cmd.exe > [Sun Mar 24 20:42:10 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/scripts/..Á../winnt/system32/cmd.exe > [Sun Mar 24 20:42:29 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/scripts/..%5c../winnt/system32/cmd.exe > [Sun Mar 24 21:13:11 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/scripts/root.exe > [Sun Mar 24 21:13:12 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/MSADC/root.exe > [Sun Mar 24 21:13:13 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/c/winnt/system32/cmd.exe > [Sun Mar 24 21:13:14 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/d/winnt/system32/cmd.exe > [Sun Mar 24 21:13:15 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/scripts/..%5c../winnt/system32/cmd.exe > [Sun Mar 24 21:13:17 2002] [error] [client 63.198.148.139] File does > not exist: > /archive/www/cia/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.e > xe > [Sun Mar 24 21:13:19 2002] [error] [client 63.198.148.139] File does > not exist: > /archive/www/cia/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.e > xe > [Sun Mar 24 21:13:20 2002] [error] [client 63.198.148.139] File does > not exist: > /archive/www/cia/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/s > ystem32 > /cmd.exe > > Jesse Geddis > > > > "My fellow Americans, I've signed legislation that will outlaw Russia > forever. We begin bombing in five minutes." > --Ronald Reagan > > > _ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-stable" in the body of the message > > > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
RE: attempted exploits
Welcome back Nimda! We have noticed a sharp rise in the number of attacks starting over the weekend here. Jarrod Sayers Information Technology Services Unit University of South Australia, Magill Campus. Phone: +61 8 8302 4809 http://people.unisa.edu.au/jarrod.sayers > -Original Message- > From: Jesse Geddis [mailto:[EMAIL PROTECTED]] > Sent: Monday, 25 March 2002 4:23 PM > To: FreeBSD-STABLE > Subject: attempted exploits > > > wow, this person is quite effective. they've been trying this since > this morning 4mins after i got my web server up. been doing it every > half hour for 7 hours lol. trying to execute arbitrary Windows code on > a FreeBSD server! > > [Sun Mar 24 20:41:55 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/scripts/..Á../winnt/system32/cmd.exe > [Sun Mar 24 20:42:05 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/scripts/..À¯../winnt/system32/cmd.exe > [Sun Mar 24 20:42:10 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/scripts/..Á../winnt/system32/cmd.exe > [Sun Mar 24 20:42:29 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/scripts/..%5c../winnt/system32/cmd.exe > [Sun Mar 24 21:13:11 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/scripts/root.exe > [Sun Mar 24 21:13:12 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/MSADC/root.exe > [Sun Mar 24 21:13:13 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/c/winnt/system32/cmd.exe > [Sun Mar 24 21:13:14 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/d/winnt/system32/cmd.exe > [Sun Mar 24 21:13:15 2002] [error] [client 63.198.148.139] File does > not exist: /archive/www/cia/scripts/..%5c../winnt/system32/cmd.exe > [Sun Mar 24 21:13:17 2002] [error] [client 63.198.148.139] File does > not exist: > /archive/www/cia/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.e > xe > [Sun Mar 24 21:13:19 2002] [error] [client 63.198.148.139] File does > not exist: > /archive/www/cia/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.e > xe > [Sun Mar 24 21:13:20 2002] [error] [client 63.198.148.139] File does > not exist: > /archive/www/cia/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/s > ystem32 > /cmd.exe > > Jesse Geddis > > > > "My fellow Americans, I've signed legislation that will outlaw Russia > forever. We begin bombing in five minutes." > --Ronald Reagan > > > _ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-stable" in the body of the message > > > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
Re: attempted exploits
[Format recovered--see http://www.lemis.com/email/email-format.html] Log output wrapped. On Sunday, 24 March 2002 at 21:52:40 -0800, Jesse Geddis wrote: > wow, this person is quite effective. they've been trying this since > this morning 4mins after i got my web server up. been doing it every > half hour for 7 hours lol. trying to execute arbitrary Windows code on > a FreeBSD server! > > [Sun Mar 24 20:41:55 2002] [error] [client 63.198.148.139] File does not exist: >/archive/www/cia/scripts/..Á../winnt/system32/cmd.exe > [Sun Mar 24 20:42:05 2002] [error] [client 63.198.148.139] File does not exist: >/archive/www/cia/scripts/..À¯../winnt/system32/cmd.exe > [Sun Mar 24 20:42:10 2002] [error] [client 63.198.148.139] File does not exist: >/archive/www/cia/scripts/..Á../winnt/system32/cmd.exe > [Sun Mar 24 20:42:29 2002] [error] [client 63.198.148.139] File does not exist: >/archive/www/cia/scripts/..%5c../winnt/system32/cmd.exe > [Sun Mar 24 21:13:11 2002] [error] [client 63.198.148.139] File does not exist: >/archive/www/cia/scripts/root.exe > [Sun Mar 24 21:13:12 2002] [error] [client 63.198.148.139] File does not exist: >/archive/www/cia/MSADC/root.exe > [Sun Mar 24 21:13:13 2002] [error] [client 63.198.148.139] File does not exist: >/archive/www/cia/c/winnt/system32/cmd.exe > [Sun Mar 24 21:13:14 2002] [error] [client 63.198.148.139] File does not exist: >/archive/www/cia/d/winnt/system32/cmd.exe > [Sun Mar 24 21:13:15 2002] [error] [client 63.198.148.139] File does not exist: >/archive/www/cia/scripts/..%5c../winnt/system32/cmd.exe > [Sun Mar 24 21:13:17 2002] [error] [client 63.198.148.139] File does not exist: >/archive/www/cia/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe > [Sun Mar 24 21:13:19 2002] [error] [client 63.198.148.139] File does not exist: >/archive/www/cia/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe > [Sun Mar 24 21:13:20 2002] [error] [client 63.198.148.139] File does not exist: >/archive/www/cia/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe Nimda. http://www.cert.org/advisories/CA-2001-26.html Greg -- When replying to this message, please take care not to mutilate the original text. For more information, see http://www.lemis.com/email.html See complete headers for address and phone numbers To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
attempted exploits
wow, this person is quite effective. they've been trying this since this morning 4mins after i got my web server up. been doing it every half hour for 7 hours lol. trying to execute arbitrary Windows code on a FreeBSD server! [Sun Mar 24 20:41:55 2002] [error] [client 63.198.148.139] File does not exist: /archive/www/cia/scripts/..Á../winnt/system32/cmd.exe [Sun Mar 24 20:42:05 2002] [error] [client 63.198.148.139] File does not exist: /archive/www/cia/scripts/..À¯../winnt/system32/cmd.exe [Sun Mar 24 20:42:10 2002] [error] [client 63.198.148.139] File does not exist: /archive/www/cia/scripts/..Á../winnt/system32/cmd.exe [Sun Mar 24 20:42:29 2002] [error] [client 63.198.148.139] File does not exist: /archive/www/cia/scripts/..%5c../winnt/system32/cmd.exe [Sun Mar 24 21:13:11 2002] [error] [client 63.198.148.139] File does not exist: /archive/www/cia/scripts/root.exe [Sun Mar 24 21:13:12 2002] [error] [client 63.198.148.139] File does not exist: /archive/www/cia/MSADC/root.exe [Sun Mar 24 21:13:13 2002] [error] [client 63.198.148.139] File does not exist: /archive/www/cia/c/winnt/system32/cmd.exe [Sun Mar 24 21:13:14 2002] [error] [client 63.198.148.139] File does not exist: /archive/www/cia/d/winnt/system32/cmd.exe [Sun Mar 24 21:13:15 2002] [error] [client 63.198.148.139] File does not exist: /archive/www/cia/scripts/..%5c../winnt/system32/cmd.exe [Sun Mar 24 21:13:17 2002] [error] [client 63.198.148.139] File does not exist: /archive/www/cia/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.e xe [Sun Mar 24 21:13:19 2002] [error] [client 63.198.148.139] File does not exist: /archive/www/cia/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.e xe [Sun Mar 24 21:13:20 2002] [error] [client 63.198.148.139] File does not exist: /archive/www/cia/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/s ystem32 /cmd.exe Jesse Geddis "My fellow Americans, I've signed legislation that will outlaw Russia forever. We begin bombing in five minutes." --Ronald Reagan _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-stable" in the body of the message
