Security Incidents mailing list archives
Re: Scanners using netcraft?
From: cholet () LOGILUNE COM (Eric Cholet)
Date: Wed, 5 Jan 2000 18:46:45 +0100
Hi, netcraft.com routinely scans web sites and publish their survey of http server software. See http://www.netcraft.com/. They also scan port 443 (https) for the same reasons, and I've seen them try to do DNS zone transfers although not recently. I don't think their activity is harmful, probably just an unrelated event.
Hello. I helped a good friend do some basic security on this small business webserver a while back. Tonight I received a message from him stating that it something was up and he didn't quite understand it. His eth0 device was put into promisc, as I told him, an obvious sign the box was owned somehow. The only things I was able to dig out of the logs was: httpd log: 195.188.192.12 - - [03/Jan/2000:00:05:46 -0800] "HEAD / HTTP/1.1" 200 0 (resolves to zanussi.netcraft.com) then syslog: Jan 4 15:58:54 [boxname] kernel: eth0: Setting promiscuous mode. Jan 4 15:58:54 [boxname] kernel: device eth0 entered promiscuous mode Jan 4 15:58:55 [boxname] kernel: eth0: Setting promiscuous mode. Jan 4 15:58:55 [boxname] kernel: device eth0 left promiscuous mode (All clock times approx. 20 min off from Pacific time) A quick run over to my favorite 0day site gave me only a local exploit for his OS (Mandrake 6) All daemons that were running were the latest version, and those were minimal, taking my security advice. I cant get an exact list or any further data right now, it appears he 'eth0 down'ed the box. My questions for the list: 1. is netcraft.com being used it some mass scan for a httpd related or other remote overflow? 2. Is Mandrake 6 obviously vulnerable to something I'm not aware of? Thanks, Mike Security and stuff. Hire me.
Current thread:
- Scanners using netcraft? Michael Damm (Jan 05)
- Re: Scanners using netcraft? Richard Trott (Jan 05)
- Re: Scanners using netcraft? Mike Johnson (Jan 05)
- Got cracked/attacked this morning Filip M. Gieszczykiewicz (Jan 08)
- god damn - we got rooted again (long, alas) Filip M. Gieszczykiewicz (Jan 09)
- rootkit site found in sniff log (??) Filip M. Gieszczykiewicz (Jan 09)
- Re: Scanners using netcraft? Al Huger - Mail Account (Jan 05)
- Port 3593 Raistlin (Jan 05)
- Re: Scanners using netcraft? sekurity (Jan 05)
- <Possible follow-ups>
- Re: Scanners using netcraft? Eric Cholet (Jan 05)
- Re: Scanners using netcraft? mea culpa (Jan 10)