On Thursday 20 November 2003 11:30 pm, Ben Barrett wrote: : Anyone with an open port 80 on a static IP is likely to see loads of : this crap. Yep, they're looking for an exploitable 'doze box. : I usually just ignore it... Ive noticed them before and usually ignore it... the only real nuisance is that they fill up log files with useless crap...
you can run host or dig on the IP if you're ohh.. Im pretty sure they are users from the same ISP. : curious as to the origination; you could even feed the GET into your : webserver to see exactly what error they got; but I have yet to see any : cool creative soluions for this. It strikes me as a waste of resources : to firewall the IP, since it is a silly request, but I think it would be : interesting to hack up a tarpit for them -- like giving them something : that looks like a command shell, to entice them -- in that case, one : would also want to modify the system signature that they might get from : nmap, etc... anyone else got some good notions on this? hmmm... interesting.. I like this idea... might be fun :) it got me thinking of what to send them... I was thinking a file full of 1's in a self extracting exe would be fun. If their program executes this file to test it, what might happen if it extracts a file of ohh say a few terrabytes of 1's ? how small will a compressed file of 1's be ? I suppose i could be really malicious and send them a trojan... or possibly theres something even more horrific that others might suggest? : Of note is that you might see multiple requests from the same IP, or : from another in the same block. This tells you something about the : nature of the attacker, but not a whole lot. Most I've seen come from : overseas or dialups... g'nitey! : : Ben : : : On Thu, 20 Nov 2003 23:23:27 -0500 : : Linux Rocks ! <[EMAIL PROTECTED]> wrote: : | so... ive noticed this before in my webserver logs... : | 68.50.124.251 - - [20/Nov/2003:23:07:12 -0500] "GET : | /scripts/..%%35c../winnt/ system32/cmd.exe?/c+dir HTTP/1.0" 400 292 : | : | so... looks like someone it scanning for a winnt based server they can : | exploit to me.. anyway, obviously its not an acutal problem, but I : | figured maybe some of you have had simular issues, and come up with : | creative solutions... like with ip tables or something :) : | : | Jamie : : _______________________________________________ : EuG-LUG mailing list : [EMAIL PROTECTED] : http://mailman.efn.org/cgi-bin/listinfo/eug-lug -- DOS: n., A small annoying boot virus that causes random spontaneous system crashes, usually just before saving a massive project. Easily cured by UNIX. See also MS-DOS, IBM-DOS, DR-DOS. -- David Vicker's .plan _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
