From owner-freebsd-security Sun Sep 20 21:56:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA26458 for freebsd-security-outgoing; Sun, 20 Sep 1998 21:56:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from horst.bfd.com (horst.bfd.com [12.9.219.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA26451 for ; Sun, 20 Sep 1998 21:56:08 -0700 (PDT) (envelope-from ejs@bfd.com) Received: from HARLIE.bfd.com (bastion.bfd.com [12.9.219.14]) by horst.bfd.com (8.9.1/8.9.1) with SMTP id VAA03192; Sun, 20 Sep 1998 21:55:38 -0700 (PDT) (envelope-from ejs@bfd.com) Date: Sun, 20 Sep 1998 21:55:38 -0700 (PDT) From: "Eric J. Schwertfeger" To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: Bogus hits on our Web server In-Reply-To: <199809202128.PAA11447@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 20 Sep 1998, Brett Glass wrote: > We've gotten several spates of Web log entries like the following: > > 62.8.15.131 unknown - [20/Sep/1998:10:43:16 -0600] "GET /cgi-bin/phf" 404 - > 62.8.15.131 unknown - [20/Sep/1998:10:43:17 -0600] "GET /cgi-bin/test-cgi" > 404 - > 62.8.15.131 unknown - [20/Sep/1998:10:43:18 -0600] "GET /cgi-bin/handler" > 404 - I've got our web server emailing me every time a 404 pops up on the assumption that our site, or one of the sites we host, has a broken link. The blind stab at /cgi-bin/phf has been happening for a very long time, though it has suddenly become more popular. The other two I hadn't seen much of until recently. I definitely suspect script-kiddies, enough that I want to set those to pop up a page saying "Just what do you expect to find here?" Or at least dump all the parameters. Hmmmm..... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message