Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 20 Sep 1998 18:51:28 -0500 (CDT)
From:      Frank Tobin <ftobin@bigfoot.com>
To:        security@FreeBSD.ORG
Subject:   Re: Bogus hits on our Web server
Message-ID:  <Pine.BSF.4.01.9809201821160.3511-100000@isr3277.urh.uiuc.edu>
In-Reply-To: <199809202128.PAA11447@lariat.lariat.org>

next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> 62.8.15.131 unknown - [20/Sep/1998:10:43:16 -0600] "GET /cgi-bin/phf" 404 -
> 62.8.15.131 unknown - [20/Sep/1998:10:43:17 -0600] "GET /cgi-bin/test-cgi"
> 404 -
> 62.8.15.131 unknown - [20/Sep/1998:10:43:18 -0600] "GET /cgi-bin/handler"
> 404 -
...

This definitely looks like a search for holes on your website.  If you'll
notice by the apache access.conf file:

...
There have been reports of people trying to abuse an old bug from pre-1.1
days.  This bug involved a CGI script distributed as a part of Apache. By
uncommenting these lines you can redirect these attacks to a logging
script on phf.apache.org.  Or, you can record them yourself, using the
script support/phf_abuse_log.cgi.

<Location /cgi-bin/phf*>
deny from all
ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
</Location>
...

The test-cgi and other 404 requests are obviously looking for some type of
hole, also.

This could be being done by SATAN (I don't know if it checks for http
holes), or some other blatant exploit.  You should check to see if there
have been other tcp-related attacks, by checking your logfiles for where
tcp-wrappers has recorded connection attempts from (and if you don't have
tcp-wrappers installed, I'd HIGHLY recommend looking into it).

- -- 

Frank Tobin			"To learn what is good and what is to be
http://www.bigfoot.com/~ftobin	 valued, those truths which cannot be
				 shaken or changed." Myst: The Book of Atrus
FreeBSD: The Power To Serve

PGP DH/DSS key ID:  0xF40EB65E
      fingerprint:  1502 6E84 8C08 E828 7945  3F4A 02F8 503A F40E B65E




-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQA/AwUBNgWG/QL4UDr0DrZeEQJZQQCdHnw+UWSMSRpB+q9Ys/jh0Xzom7sAn1pP
tD13a4DLkboJe1k7gtSP0Nt4
=rha0
-----END PGP SIGNATURE-----


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.01.9809201821160.3511-100000>