From owner-freebsd-security Wed Feb 3 07:29:36 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA23997 for freebsd-security-outgoing; Wed, 3 Feb 1999 07:29:36 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA23989 for ; Wed, 3 Feb 1999 07:29:32 -0800 (PST) (envelope-from mike@seidata.com) From: mike@seidata.com Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with ESMTP id KAA20049; Wed, 3 Feb 1999 10:29:33 -0500 (EST) Date: Wed, 3 Feb 1999 10:29:33 -0500 (EST) To: Dan Langille cc: freebsd-security@FreeBSD.ORG Subject: Re: what were these probes? In-Reply-To: <19990202055804.YRQY682101.mta1-rme@wocker> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 2 Feb 1999, Dan Langille wrote: > Tonight I found these entries in my log files. What were they looking > for? Was this a spammer looking for exploits? Yes. > ns.cvvm.com - - [02/Feb/1999:17:34:28 +1300] "GET /cgi-bin/phf HTTP/1.0" > 404 164 Extremely popular (and outdated, I assume they were searching for this just to see if you were stupid ;) exploit that used to allow access to critical system files (passwd, etc.). > ns.cvvm.com - - [02/Feb/1999:17:34:29 +1300] "GET /cgi-bin/Count.cgi > HTTP/1.0" 404 170 > ns.cvvm.com - - [02/Feb/1999:17:34:30 +1300] "GET /cgi-bin/test-cgi > HTTP/1.0" 404 169 [snip] Wow, looks like they were bored... just trying to see what you have, I presume... attempting to find out more about your system. Many of these are default scripts installed in /usr/local/www/cgi-bin by Apache. > HTTP/1.0" 404 169 > ns.cvvm.com - - [02/Feb/1999:17:34:43 +1300] "GET /cgi-bin/wwwboard.pl [snip] ...Or script names with known, previous exploitable holes. > Feb 2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com > Feb 2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com No real exploit here... Looks like tcpd is doing it's job. Did you have the phf script open to world? What version of Apache are you running? I'd suggest enabling (access.conf) the automatic logging of phf attempts. Uncomment the following: deny from all ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi > Feb 2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from > root@ns.cvvm.com [139.142.106.131] > Feb 2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from > root@ns.cvvm.com [139.142.106.131] As usual, I'd attempt to forward records of these attempts to all related administrative accounts of cvvm.com (root, hostmaster, names listed as Whois contacts, etc.). Their system may merely be a hostile host, or it may be a hacked site being used as a source for more hacks.... in which case the real admin's may have no clue about what's going on. What version of sendmail are you running? Not sure about the null connection bit... unless they're just, again, trying to see what you're running (since older versions were exploit ridden). Good luck... -- Mike Hoskins System/Network Administrator SEI Data Network Services, Inc. http://www.seidata.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message