From owner-freebsd-security  Sun Sep 20 15:41:15 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA25313
          for freebsd-security-outgoing; Sun, 20 Sep 1998 15:41:15 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from redfish.go2net.com (redfish.go2net.com [207.178.55.5])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id PAA25303
          for <security@freebsd.org>; Sun, 20 Sep 1998 15:41:11 -0700 (PDT)
          (envelope-from marcs@go2net.com)
Received: from marcs by redfish.go2net.com with smtp (Exim 1.82 #2)
	id 0zKs8H-0007nD-00; Sun, 20 Sep 1998 15:39:05 -0700
Date: Sun, 20 Sep 1998 15:39:05 -0700 (PDT)
From: Marc Slemko <marcs@znep.com>
X-Sender: marcs@redfish
To: Brett Glass <brett@lariat.org>
cc: security@FreeBSD.ORG
Subject: Re: Bogus hits on our Web server
In-Reply-To: <199809202128.PAA11447@lariat.lariat.org>
Message-ID: <Pine.GSO.4.02A.9809201536270.29852-100000@redfish>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sun, 20 Sep 1998, Brett Glass wrote:

> We've gotten several spates of Web log entries like the following:
> 
> 62.8.15.131 unknown - [20/Sep/1998:10:43:16 -0600] "GET /cgi-bin/phf" 404 -
> 62.8.15.131 unknown - [20/Sep/1998:10:43:17 -0600] "GET /cgi-bin/test-cgi"
> 404 -
> 62.8.15.131 unknown - [20/Sep/1998:10:43:18 -0600] "GET /cgi-bin/handler"
> 404 -
> 
> and
> 
> 38.11.110.182 root - [20/Sep/1998:13:37:16 -0600] "GET /cgi-bin/phf" 404 -
> 38.11.110.182 root - [20/Sep/1998:13:37:19 -0600] "GET /cgi-bin/test-cgi"
> 404 -
> 38.11.110.182 root - [20/Sep/1998:13:37:22 -0600] "GET /cgi-bin/handler" 404 -
> 
> Is this a mass attack by a bunch of "skript kiddies?" What's going on?

Yup, that is what it looks like.

They appear to be basing their probing on servers listed as DNS servers
for various domains.

If you look at your logs, you will probably find ftp, telnet, imap, and
pop connections as well.

imap and pop are probably looking for obvious holes, telnet I guess just
to try to find the OS, finger to look for activity or accounts to crack.

We have seen a dozen or so sites pulling this in the past week, most of
ours appear to be boxes that have been broken into.

Don't know if it is one group or some stupid lame-assed script that a
bunch of morons are trying.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message