From owner-freebsd-security  Sun Sep 20 16:10:57 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA01631
          for freebsd-security-outgoing; Sun, 20 Sep 1998 16:10:57 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from eyelab.psy.msu.edu (eyelab.psy.msu.edu [35.8.64.179])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA01610
          for <freebsd-security@freebsd.org>; Sun, 20 Sep 1998 16:10:43 -0700 (PDT)
          (envelope-from root@eyelab.psy.msu.edu)
Received: from logrus-p2 (dyn1-tnt13-196.detroit.mi.ameritech.net [199.179.188.196])
	by eyelab.psy.msu.edu (8.9.1/8.8.7) with SMTP id TAA05189;
	Sun, 20 Sep 1998 19:09:52 -0400 (EDT)
	(envelope-from root@eyelab.psy.msu.edu)
Message-Id: <199809202309.TAA05189@eyelab.psy.msu.edu>
X-Sender: root@eyelab.msu.edu
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.52 (Beta)
Date: Sun, 20 Sep 1998 19:09:19 -0400
To: Brett Glass <brett@lariat.org>
From: Gary Schrock <root@eyelab.psy.msu.edu>
Subject: Re: Bogus hits on our Web server
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <199809202128.PAA11447@lariat.lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 02:43 PM 9/20/98 -0600, you wrote:
>We've gotten several spates of Web log entries like the following:
>
>62.8.15.131 unknown - [20/Sep/1998:10:43:16 -0600] "GET /cgi-bin/phf" 404 -
>62.8.15.131 unknown - [20/Sep/1998:10:43:17 -0600] "GET /cgi-bin/test-cgi"
>404 -
>62.8.15.131 unknown - [20/Sep/1998:10:43:18 -0600] "GET /cgi-bin/handler"
>404 -

People running scripts.  The phf one is an old old hole in one of the cgi
programs that was included in apache (or maybe just ncsa?).  It was removed
a couple years ago or so, but people still scan for it.  I get several of
them every month.


Gary Schrock
root@eyelab.msu.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message