[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-developers] /default.ida

It's automated zombies from one of the previous microsoft exploits. Try notifying the ISP and/or upstream provider that there's an infected server molesting you. 


Ritch
Pierre Maloka wrote:


Silly virus scans. They are trying to find NT machines to take advantage of.
I got hundreds today, and nobody even knows what my website is. I typically
get < 10 legit hits a day. I wish there was some way to turn these guys in.
I got over 80 requests from "dsl-64-195-90-29.telocity.com" alone.


-----Original Message-----
From: cobalt-developers-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]On Behalf Of KAMRY
Sent: Tuesday, September 18, 2001 10:35 PM
To: cobalt-developers@xxxxxxxxxxxxxxx
Subject: [cobalt-developers]
/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXX



Anyone knows about these scans:

/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6
858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 302 627 "-" "-"

/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXX
XXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6
858%ucbd3%
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
HTTP/1.0" 302 632 "-" "-"

/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 250 "-" "-"

-----Original Message-----
From: cobalt-developers-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]On Behalf Of Matthias
Pigulla
Sent: Tue, September 18, 2001 8:57 AM
To: 'cobalt-developers@xxxxxxxxxxxxxxx'
Subject: [cobalt-developers] RaQ3 kernel oops


Hi folks,

I sent this to the developers list, as I consider this a fairly technical
issue, and I hope to find some kernel experts here :)-

We've had a lot of trouble with one of our RaQ3 appliances during the last
days. To cut a long story short, we checked all RAM modules,
installed a new
hard disk drive, manually restored from our backups and tried to
install the
Kernel 2.2.14 .pkg.

As to the backups, we made a copy of the entire disk when we first got the
machine and we make daily backups. So we copied the "factory new"
files onto
a new HDD using another linux machine and extracted our daily backup
replacing existing files.

Now we're stuck with the following messages when booting. I can't
figure out
what this problem might be related to; we also checked it by
installing the
same HDD in another RaQ3 with some minor differences in the specs
(no SCSI,
just one eth interface), getting the same messages.

       Cobalt Networks - 'We serve it, you surf it'
                 Firmware version 2.3.0

ROM Build info: Wed Oct 6 15:23:25 PDT 1999 freakshow.cobaltnet.com
System serial number: 3C03AM0127177
Memory found: 384 MB
Initializing I2C bus: done
Scanning PCI bus: done
Initializing IDE: done
 IDE 0 master: found
       slave:  not found
 IDE 1 master: not found
       slave:  not found
Initializing SCSI: done
Initializing ethernet: done
Initializing EEPROMs: done
 EEPROM Bank 0: Intel E28F008S5 1MB
 EEPROM Bank 1: not installed.
Mounting rom_fs: done
Initializing RTC: done
Initializing i18n - language "en": done

Press spacebar to enter ROM mode
Booting default method - From disk

First stage kernel: Decompressing - done
Linux version 2.2.12C3 (thockin@freakshow) (gcc version egcs-2.91.66
19990314/Li
nux (egcs-1.1.2 release)) #1 (ROM kernel) Wed Oct 6 15:16:06 PDT 1999
Detected 298807169 Hz processor.
Calibrating delay loop... 596.38 BogoMIPS
Memory: 14424k/16384k available (1080k kernel code, 416k reserved, 400k
data, 64
k init)
VFS: Diskquotas version dquot_6.4.0 initialized
Enabling new style K6 write allocation for 16 Mb
CPU: AMD AMD-K6(tm) 3D processor stepping 0c
Checking 386/387 coupling... OK, FPU using exception 16 error reporting.
Checking 'hlt' instruction... OK.
POSIX conformance testing by UNIFIX
mtrr: v1.35a (19990819) Richard Gooch (rgooch@xxxxxxxxxxxxx)
PCI: Using configuration type 1
PCI: Probing PCI hardware
PCI: Assigning I/O space 5800-583f to device 00:18
Linux NET4.0 for Linux 2.2
Based upon Swansea University Computer Society NET3.039
NET4: Unix domain sockets 1.0 for Linux NET4.0.
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IPv4 over IPv4 tunneling driver
early initialization of device tunl0 is deferred
GRE over IPv4 tunneling driver
early initialization of device gre0 is deferred
NET4: AppleTalk 0.18 for Linux NET4.0
Initializing RT netlink socket
Starting kswapd v 1.2
Cobalt temperature sensor v1.2 enabled
Serial driver version 4.27 with no serial options enabled
ttyS00 at 0x03f8 (irq = 4) is a 16550A
ttyS01 at 0x02f8 (irq = 3) is a 16550A
Keyboard timeout[2]
Keyboard timeout[2]
pty: 256 Unix98 ptys configured
Real Time Clock Driver v1.09
lcd: Cobalt LCD Driver v3.01 by
lcd: Andrew Bose <andrew@xxxxxxxxxxxxx>, Timothy Stonis <tialtnet.com>
loop: registered device at major 7
Uniform Multi-Platform E-IDE driver Revision: 6.20
ALI15X3: IDE controller on PCI bus 00 dev 78
ALI15X3: 100% native mode on irq 14
   ide0: BM-DMA at 0xf000-0xf007, BIOS settings: hda:DMA, hdb:DMA
   ide1: BM-DMA at 0xf008-0xf00f, BIOS settings: hdc:DMA, hdd:DMA
hda: MAXTOR 4K040H2, ATA DISK drive
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
ALI15X3: Ultra DMA enabled
hda: MAXTOR 4K040H2, 38182MB w/2000kB Cache, CHS=12042/16/63, (U)DMA
md driver 0.36.6 MAX_MD_DEV=4, MAX_REAL=8
linear personality registered
raid0 personality registered
raid1 personality registered
sym53c8xx: at PCI bus 0, device 14, function 0
sym53c8xx: 53c875 detected
sym53c875-0: rev=0x04, base=0xc0000000, io_port=0x1000, irq=12
sym53c875-0: NCR clock is 40037KHz, 40218KHz
sym53c875-0: ID 7, Fast-20, Parity Checking
sym53c875-0: on-chip RAM at 0xc0008000
sym53c875-0: restart (scsi reset).
sym53c875-0: Downloading SCSI SCRIPTS.
scsi0 : sym53c8xx - version 1.3g
scsi : 1 host.
scsi : detected total.
PPP: version 2.3.7 (demand dialling)
TCP compression code copyright 1989 Regents of the University of
California
PPP line discipline registered.
eth0: Invalid EEPROM checksum 0xe50b, check settings before
activating this
devi
ce!
eth0: Intel EtherExpress Pro 10/100 at 0x1100, 00:10:E0:01:2B:D3, IRQ 11.
 Board assembly 000000-000, Physical connectors present:
 Primary interface chip None PHY #0.
 General self-test: passed.
 Serial sub-system self-test: passed.
 Internal registers self-test: passed.
 ROM checksum self-test: passed (0xdbd8681d).
 Receiver lock-up workaround activated.
eth1: Invalid EEPROM checksum 0xe70b, check settings before
activating this
devi
ce!
eth1: Intel EtherExpress Pro 10/100 at 0x1200, 00:10:E0:01:2B:D5, IRQ 10.
 Board assembly 000000-000, Physical connectors present:
 Primary interface chip None PHY #0.
 General self-test: passed.
 Serial sub-system self-test: passed.
 Internal registers self-test: passed.
 ROM checksum self-test: passed (0xdbd8681d).
 Receiver lock-up workaround activated.
Partition check:
hda: hda1 hda2 hda3 hda4
VFS: Mounted root (ext2 filesystem) readonly.
Freeing unused kernel memory: 64k freed
Unable to handle kernel NULL pointer dereference at virtual
address 00000008
current->tss.cr3 = 00101000, %cr3 = 00101000
*pde = 00000000
Oops: 0000
CPU:    0
EIP:    0010:[<c012b4dc>]
EFLAGS: 00010282
eax: 00000000   ebx: fffffff4   ecx: c0290140   edx: c0290090
esi: c02900e0   edi: c0097dc0   ebp: c0003f44   esp: c0003f10
ds: 0018   es: 0018   ss: 0018
Process swapper (pid: 1, process nr: 1, stackpage=c0003000)
Stack: c0003f44 00000000 c0237005 0000000b c0097e0c c012b6bc c0290060
c0003f44
      0000000b c0236020 ffffffe9 00000003 17ffffb4 c0237001 00000003
00006226
      c012b83a c0237000 c0290060 00000001 c0236020 ffffffe9 c0106000
17ffffb4
Call Trace: [<c012b6bc>] [<c012b83a>] [<c0106000>] [<c01243f8>]
[<c0106000>]
[<c
012463a>] [<c0109a04>]
      [<c01db805>] [<c0106000>] [<c01060ab>] [<c010856b>]
Code: 8b 40 08 ff d0 89 c3 83 c4 08 85 db 74 0e 56 e8 48 47 00 00

Any hints on how I could proceed? How exactly does the RaQ boot procedure
look like? I noticed that there are two "stages" in the boot
process, and it
seems to me as if the first stage boots a kernel from ROM? As we're stuck
during the first stage, does this mean I should check my ROM
configuration?
This seems weird, as the other machine we've tested behaves the same way.

TIA,
Matthias
--

w e b f a c t o r y   G m b H
  Matthias Pigulla <mp@xxxxxxxxxxxxx> - Geschaeftsfuehrer
  Lessingstr. 60 - D-53113 Bonn - Germany - www.webfactory.de
  Fon +49(0)228-9114455 - Fax +49(0)228-9114499 - ICQ 49185492

_______________________________________________
cobalt-developers mailing list
cobalt-developers@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-developers


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

_______________________________________________
cobalt-developers mailing list
cobalt-developers@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-developers



_______________________________________________
cobalt-developers mailing list
cobalt-developers@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-developers