From owner-freebsd-security  Sun Sep 20 16:16:49 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA02434
          for freebsd-security-outgoing; Sun, 20 Sep 1998 16:16:49 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA02415
          for <security@FreeBSD.ORG>; Sun, 20 Sep 1998 16:16:43 -0700 (PDT)
          (envelope-from jkb@best.com)
Received: from localhost (jkb@localhost)
	by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id QAA25274;
	Sun, 20 Sep 1998 16:16:14 -0700 (PDT)
X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs
Date: Sun, 20 Sep 1998 16:16:14 -0700 (PDT)
From: "Jan B. Koum " <jkb@best.com>
X-Sender: jkb@shell6.ba.best.com
To: Brett Glass <brett@lariat.org>
cc: security@FreeBSD.ORG
Subject: Re: Bogus hits on our Web server
In-Reply-To: <199809202128.PAA11447@lariat.lariat.org>
Message-ID: <Pine.BSF.4.02A.9809201615160.25062-100000@shell6.ba.best.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


	Yup, looks like it. There are MANY scripts out there for script
kiddiez which would check for possible bad CGIs on your web server.

-- Yan

I don't have the password .... + Jan Koum 
But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. 
So if you've got the time .... | Web: http://www.best.com/~jkb
Set the tone to sync ......... + OS: http://www.FreeBSD.org

On Sun, 20 Sep 1998, Brett Glass wrote:

>We've gotten several spates of Web log entries like the following:
>
>62.8.15.131 unknown - [20/Sep/1998:10:43:16 -0600] "GET /cgi-bin/phf" 404 -
>62.8.15.131 unknown - [20/Sep/1998:10:43:17 -0600] "GET /cgi-bin/test-cgi"
>404 -
>62.8.15.131 unknown - [20/Sep/1998:10:43:18 -0600] "GET /cgi-bin/handler"
>404 -
>
>and
>
>38.11.110.182 root - [20/Sep/1998:13:37:16 -0600] "GET /cgi-bin/phf" 404 -
>38.11.110.182 root - [20/Sep/1998:13:37:19 -0600] "GET /cgi-bin/test-cgi"
>404 -
>38.11.110.182 root - [20/Sep/1998:13:37:22 -0600] "GET /cgi-bin/handler" 404 -
>
>Is this a mass attack by a bunch of "skript kiddies?" What's going on?
>
>--Brett
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message