From owner-freebsd-security Tue Apr 11 16:53: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from viagara.salon.com (viagara.salon.com [208.48.211.122]) by hub.freebsd.org (Postfix) with ESMTP id BE21237BA3E for ; Tue, 11 Apr 2000 16:53:02 -0700 (PDT) (envelope-from spidaman@salon.com) Received: from salon.com (localhost [127.0.0.1]) by viagara.salon.com (8.9.3/8.9.3) with ESMTP id QAA14616; Tue, 11 Apr 2000 16:52:44 -0700 (PDT) (envelope-from spidaman@salon.com) Message-ID: <38F3BACC.7DEAE133@salon.com> Date: Tue, 11 Apr 2000 16:52:44 -0700 From: Ian Kallen Organization: Salon Media X-Mailer: Mozilla 4.6 [en] (X11; I; FreeBSD 3.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Bigby Findrake Cc: bwoods2@uswest.net, freebsd-security@FreeBSD.ORG Subject: Re: Weird log entry ..... References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This isn't a FreeBSD security issue and you both should learn how to read common log format: those "cgi requests" you're fretting over _are_ referers. The requests of your servers look like vanilla status 200 HTTP requests for non-CGI URL's, so get on with life and close out this topic: it's a non-issue. Bigby Findrake wrote: > > On Tue, 11 Apr 2000, William Woods wrote: > > > Came home from work and was doing a check of my server logs and ran accross > > this, anyone tell me whats up here? > > > > cache-dp03.proxy.aol.com - - [11/Apr/2000:15:18:59 -0700] "GET / HTTP/1.0" 200 > > 4254"http://209.185.131.251/cgi-bin/linkrd?_lang=&lah=14853ce0511667e378ad7f249b > > b39074&lat=955491465&hm___action=http%3a%2f%2f63%2e227%2e213%2e92%2f" > > "Mozilla/4.0(compatible; MSIE 5.0; AOL 5.0; Windows 98; DigExt)" > > > > What worries me is the try to execute a cgi-bin command here. > > I'm not sure why they were trying to find that page on your server, but > I've seen *many* people come to my servers who've been referred from a > page that looks a lot like that. I've included one log line below. > > blah:242.omaha-01-02rs.ne.dial-access.att.net - - [16/Mar/2000:18:53:45 > +0000] "GET /~christy/ HTTP/1.1" 200 588 " > http://216.33.236.250/cgi-bin/linkrd?_lang=&lah=d11f5445fcce05360957baed6934bce3&lat=953261532&hm___action=http%3a > %2f%2fhome%2eephemeron%2eorg%2f%7echristy" "Mozilla/4.0 (compatible; MSIE > 4.01; Windows 98; AT&T WNS5.0)" > > Based on what I know, I'd say don't worry unless you see tons of people > trying to hit up such pages. In that case, I'd say turn on ther referrers > so that you can see who's directing people to that page on your server and > contact that admin. > > /-------------------------------------------------------------------------/ > "What reason weaves, by passion is undone." -- Alexander Pope > > finger bigby@ephemeron.org for my pgpkey or > http://home.ephemeron.org/~bigby/pgp_key.txt > e-mail bigby@pager.ephemeron.org to page me > /-------------------------------------------------------------------------/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Salon Internet http://www.salon.com/ Manager, Software and Systems "Livin' La Vida Unix!" Ian Kallen / AIM: iankallen / Fax: (415) 354-3326 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message