From owner-freebsd-security Sun Sep 20 15:41:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA25313 for freebsd-security-outgoing; Sun, 20 Sep 1998 15:41:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from redfish.go2net.com (redfish.go2net.com [207.178.55.5]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id PAA25303 for ; Sun, 20 Sep 1998 15:41:11 -0700 (PDT) (envelope-from marcs@go2net.com) Received: from marcs by redfish.go2net.com with smtp (Exim 1.82 #2) id 0zKs8H-0007nD-00; Sun, 20 Sep 1998 15:39:05 -0700 Date: Sun, 20 Sep 1998 15:39:05 -0700 (PDT) From: Marc Slemko X-Sender: marcs@redfish To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: Bogus hits on our Web server In-Reply-To: <199809202128.PAA11447@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 20 Sep 1998, Brett Glass wrote: > We've gotten several spates of Web log entries like the following: > > 62.8.15.131 unknown - [20/Sep/1998:10:43:16 -0600] "GET /cgi-bin/phf" 404 - > 62.8.15.131 unknown - [20/Sep/1998:10:43:17 -0600] "GET /cgi-bin/test-cgi" > 404 - > 62.8.15.131 unknown - [20/Sep/1998:10:43:18 -0600] "GET /cgi-bin/handler" > 404 - > > and > > 38.11.110.182 root - [20/Sep/1998:13:37:16 -0600] "GET /cgi-bin/phf" 404 - > 38.11.110.182 root - [20/Sep/1998:13:37:19 -0600] "GET /cgi-bin/test-cgi" > 404 - > 38.11.110.182 root - [20/Sep/1998:13:37:22 -0600] "GET /cgi-bin/handler" 404 - > > Is this a mass attack by a bunch of "skript kiddies?" What's going on? Yup, that is what it looks like. They appear to be basing their probing on servers listed as DNS servers for various domains. If you look at your logs, you will probably find ftp, telnet, imap, and pop connections as well. imap and pop are probably looking for obvious holes, telnet I guess just to try to find the OS, finger to look for activity or accounts to crack. We have seen a dozen or so sites pulling this in the past week, most of ours appear to be boxes that have been broken into. Don't know if it is one group or some stupid lame-assed script that a bunch of morons are trying. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message