Hi,
netcraft.com routinely scans web sites and publish their
survey of http server software. See http://www.netcraft.com/.
They also scan port 443 (https) for the same reasons, and I've
seen them try to do DNS zone transfers although not recently.
I don't think their activity is harmful, probably just an
unrelated event.
> Hello.
>
> I helped a good friend do some basic security on this small business
> webserver a while back.
> Tonight I received a message from him stating that it something was
> up and he didn't quite understand it.
>
> His eth0 device was put into promisc, as I told him, an obvious sign
> the box was owned somehow.
>
> The only things I was able to dig out of the logs was:
> httpd log:
> 195.188.192.12 - - [03/Jan/2000:00:05:46 -0800] "HEAD / HTTP/1.1" 200
> 0
> (resolves to zanussi.netcraft.com)
>
> then syslog:
> Jan 4 15:58:54 [boxname] kernel: eth0: Setting promiscuous mode.
> Jan 4 15:58:54 [boxname] kernel: device eth0 entered promiscuous
> mode
> Jan 4 15:58:55 [boxname] kernel: eth0: Setting promiscuous mode.
> Jan 4 15:58:55 [boxname] kernel: device eth0 left promiscuous mode
> (All clock times approx. 20 min off from Pacific time)
>
> A quick run over to my favorite 0day site gave me only a local
> exploit for his OS (Mandrake 6)
>
> All daemons that were running were the latest version, and those were
> minimal, taking my security advice. I cant get an exact list or any
> further data right now, it appears he 'eth0 down'ed the box.
>
> My questions for the list:
> 1. is netcraft.com being used it some mass scan for a httpd related
> or other remote overflow?
> 2. Is Mandrake 6 obviously vulnerable to something I'm not aware of?
>
>
> Thanks,
> Mike
> Security and stuff. Hire me.
>
Received on Jan 06 2000
Intro
