Date: Wed, 3 Feb 1999 10:29:33 -0500 (EST) From: mike@seidata.com To: Dan Langille <junkmale@xtra.co.nz> Cc: freebsd-security@FreeBSD.ORG Subject: Re: what were these probes? Message-ID: <Pine.BSF.4.05.9902031021040.15985-100000@ns1.seidata.com> In-Reply-To: <19990202055804.YRQY682101.mta1-rme@wocker>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2 Feb 1999, Dan Langille wrote: > Tonight I found these entries in my log files. What were they looking > for? Was this a spammer looking for exploits? Yes. > ns.cvvm.com - - [02/Feb/1999:17:34:28 +1300] "GET /cgi-bin/phf HTTP/1.0" > 404 164 Extremely popular (and outdated, I assume they were searching for this just to see if you were stupid ;) exploit that used to allow access to critical system files (passwd, etc.). > ns.cvvm.com - - [02/Feb/1999:17:34:29 +1300] "GET /cgi-bin/Count.cgi > HTTP/1.0" 404 170 > ns.cvvm.com - - [02/Feb/1999:17:34:30 +1300] "GET /cgi-bin/test-cgi > HTTP/1.0" 404 169 [snip] Wow, looks like they were bored... just trying to see what you have, I presume... attempting to find out more about your system. Many of these are default scripts installed in /usr/local/www/cgi-bin by Apache. > HTTP/1.0" 404 169 > ns.cvvm.com - - [02/Feb/1999:17:34:43 +1300] "GET /cgi-bin/wwwboard.pl [snip] ...Or script names with known, previous exploitable holes. > Feb 2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com > Feb 2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com No real exploit here... Looks like tcpd is doing it's job. Did you have the phf script open to world? What version of Apache are you running? I'd suggest enabling (access.conf) the automatic logging of phf attempts. Uncomment the following: <Location /cgi-bin/phf*> deny from all ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi </Location> > Feb 2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from > root@ns.cvvm.com [139.142.106.131] > Feb 2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from > root@ns.cvvm.com [139.142.106.131] As usual, I'd attempt to forward records of these attempts to all related administrative accounts of cvvm.com (root, hostmaster, names listed as Whois contacts, etc.). Their system may merely be a hostile host, or it may be a hacked site being used as a source for more hacks.... in which case the real admin's may have no clue about what's going on. What version of sendmail are you running? Not sure about the null connection bit... unless they're just, again, trying to see what you're running (since older versions were exploit ridden). Good luck... -- Mike Hoskins System/Network Administrator SEI Data Network Services, Inc. http://www.seidata.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9902031021040.15985-100000>