From owner-freebsd-security Tue Apr 11 16:45:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from home.ephemeron.org (dt090n4a.san.rr.com [204.210.46.74]) by hub.freebsd.org (Postfix) with ESMTP id 17C1337B61E for ; Tue, 11 Apr 2000 16:45:35 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from localhost (bigby@localhost) by home.ephemeron.org (8.9.3/8.9.3) with ESMTP id QAA63804; Tue, 11 Apr 2000 16:45:20 -0700 (PDT) (envelope-from bigby@ephemeron.org) Date: Tue, 11 Apr 2000 16:45:20 -0700 (PDT) From: Bigby Findrake To: bwoods2@uswest.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: Weird log entry ..... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 11 Apr 2000, William Woods wrote: > Came home from work and was doing a check of my server logs and ran accross > this, anyone tell me whats up here? > > cache-dp03.proxy.aol.com - - [11/Apr/2000:15:18:59 -0700] "GET / HTTP/1.0" 200 > 4254"http://209.185.131.251/cgi-bin/linkrd?_lang=&lah=14853ce0511667e378ad7f249b > b39074&lat=955491465&hm___action=http%3a%2f%2f63%2e227%2e213%2e92%2f" > "Mozilla/4.0(compatible; MSIE 5.0; AOL 5.0; Windows 98; DigExt)" > > What worries me is the try to execute a cgi-bin command here. I'm not sure why they were trying to find that page on your server, but I've seen *many* people come to my servers who've been referred from a page that looks a lot like that. I've included one log line below. blah:242.omaha-01-02rs.ne.dial-access.att.net - - [16/Mar/2000:18:53:45 +0000] "GET /~christy/ HTTP/1.1" 200 588 " http://216.33.236.250/cgi-bin/linkrd?_lang=&lah=d11f5445fcce05360957baed6934bce3&lat=953261532&hm___action=http%3a %2f%2fhome%2eephemeron%2eorg%2f%7echristy" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98; AT&T WNS5.0)" Based on what I know, I'd say don't worry unless you see tons of people trying to hit up such pages. In that case, I'd say turn on ther referrers so that you can see who's directing people to that page on your server and contact that admin. /-------------------------------------------------------------------------/ "What reason weaves, by passion is undone." -- Alexander Pope finger bigby@ephemeron.org for my pgpkey or http://home.ephemeron.org/~bigby/pgp_key.txt e-mail bigby@pager.ephemeron.org to page me /-------------------------------------------------------------------------/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message