[lug] possible intrusion

D. Stimits stimits at idcomm.com
Thu Jul 19 20:37:02 MDT 2001


Taz wrote:
> 
> I just got home and checked my e-mail.  Reading this thread got my interest.  I've had 70 hits on port 80 since about 1030 this morning.  From different ip/domains.
> I haven't had any before.  Fortunately, since I don't run a web server *and* I have completely blocked the port with a firewall, no damage done.
> However, would anybody be interested in exchanging logs?  I'm curious if this is all coming from only  a few machine/domains.  If interested, please mail off the list.

I believe I had one repeat IP, and the rest were all different, mainly
from different domains as well as ip.

D. Stimits, stimits at idcomm.com

> 
> feenix at ticnet.com
> 
> Jeff
> 
> John Starkey wrote:
> 
> > I just woke up to about 100 messages about an exploit on IIS that's been hitting really hard this week. People on the WDVL list are getting hit pretty hard as well.
> >
> > Sorry. I didn't follow it since it was an IIS thing, but thought you might be interested in that bit of info.
> >
> > John
> >
> > Thus spake D. Stimits (stimits at idcomm.com):
> >
> > > Deva Samartha wrote:
> > > >
> > > > Thank you for your information - security focus search on shellcode results
> > > > in 800 matches. In the meantime, I got about 15 of the NNNN's, more popping
> > > > again and again. -
> > > >
> > > > If you know the feeling and possibly more about the exploit, could I
> > > > possibly bribe you with  ?
> > > >
> > > > <n> cans of <beverage>
> > > > <n> ::= 1,2,3..12
> > > > <beverage> ::= <beer> | <soft drink>
> > > > ...
> > > >
> > > > or would that insult you?
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list