Security Incidents mailing list archives
Scanners using netcraft?
From: symetrix () EARTHLINK NET (Michael Damm)
Date: Wed, 5 Jan 2000 00:22:11 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hello. I helped a good friend do some basic security on this small business webserver a while back. Tonight I received a message from him stating that it something was up and he didn't quite understand it. His eth0 device was put into promisc, as I told him, an obvious sign the box was owned somehow. The only things I was able to dig out of the logs was: httpd log: 195.188.192.12 - - [03/Jan/2000:00:05:46 -0800] "HEAD / HTTP/1.1" 200 0 (resolves to zanussi.netcraft.com) then syslog: Jan 4 15:58:54 [boxname] kernel: eth0: Setting promiscuous mode. Jan 4 15:58:54 [boxname] kernel: device eth0 entered promiscuous mode Jan 4 15:58:55 [boxname] kernel: eth0: Setting promiscuous mode. Jan 4 15:58:55 [boxname] kernel: device eth0 left promiscuous mode (All clock times approx. 20 min off from Pacific time) A quick run over to my favorite 0day site gave me only a local exploit for his OS (Mandrake 6) All daemons that were running were the latest version, and those were minimal, taking my security advice. I cant get an exact list or any further data right now, it appears he 'eth0 down'ed the box. My questions for the list: 1. is netcraft.com being used it some mass scan for a httpd related or other remote overflow? 2. Is Mandrake 6 obviously vulnerable to something I'm not aware of? Thanks, Mike Security and stuff. Hire me. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.2 iQCVAwUBOHL/IXdViB0XYAcrAQHczwP/WFqcmtLDccPI3R8LDVXsQk3IDYyFQLe9 Yfr0Yz5y5ks3493tabI2eAoUdLVRN1pqoH9wrrrs8zdRuOp3Xk3rdL2CD+dV5E+g etheVtFnUsKSfuirUwMMpbDVrzDxsW2lrpNSUJ83Ft90hONaG89bIo00ofeHvq1m u+pZdbX8RJw= =N2kW -----END PGP SIGNATURE-----
Current thread:
- Scanners using netcraft? Michael Damm (Jan 05)
- Re: Scanners using netcraft? Richard Trott (Jan 05)
- Re: Scanners using netcraft? Mike Johnson (Jan 05)
- Got cracked/attacked this morning Filip M. Gieszczykiewicz (Jan 08)
- god damn - we got rooted again (long, alas) Filip M. Gieszczykiewicz (Jan 09)
- rootkit site found in sniff log (??) Filip M. Gieszczykiewicz (Jan 09)
- Re: Scanners using netcraft? Al Huger - Mail Account (Jan 05)
- Port 3593 Raistlin (Jan 05)
- Re: Scanners using netcraft? sekurity (Jan 05)
- <Possible follow-ups>
- Re: Scanners using netcraft? Eric Cholet (Jan 05)
- Re: Scanners using netcraft? mea culpa (Jan 10)