From owner-freebsd-security Sun Sep 20 16:53:02 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA06961 for freebsd-security-outgoing; Sun, 20 Sep 1998 16:53:02 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from isr3277.urh.uiuc.edu (isr3277.urh.uiuc.edu [130.126.65.13]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA06934 for ; Sun, 20 Sep 1998 16:52:45 -0700 (PDT) (envelope-from ftobin@bigfoot.com) Received: (qmail 3596 invoked by uid 1000); 20 Sep 1998 23:51:42 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 20 Sep 1998 23:51:42 -0000 Date: Sun, 20 Sep 1998 18:51:28 -0500 (CDT) From: Frank Tobin X-Sender: ftobin@isr3277.urh.uiuc.edu To: security@FreeBSD.ORG Subject: Re: Bogus hits on our Web server In-Reply-To: <199809202128.PAA11447@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > 62.8.15.131 unknown - [20/Sep/1998:10:43:16 -0600] "GET /cgi-bin/phf" 404 - > 62.8.15.131 unknown - [20/Sep/1998:10:43:17 -0600] "GET /cgi-bin/test-cgi" > 404 - > 62.8.15.131 unknown - [20/Sep/1998:10:43:18 -0600] "GET /cgi-bin/handler" > 404 - ... This definitely looks like a search for holes on your website. If you'll notice by the apache access.conf file: ... There have been reports of people trying to abuse an old bug from pre-1.1 days. This bug involved a CGI script distributed as a part of Apache. By uncommenting these lines you can redirect these attacks to a logging script on phf.apache.org. Or, you can record them yourself, using the script support/phf_abuse_log.cgi. deny from all ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi ... The test-cgi and other 404 requests are obviously looking for some type of hole, also. This could be being done by SATAN (I don't know if it checks for http holes), or some other blatant exploit. You should check to see if there have been other tcp-related attacks, by checking your logfiles for where tcp-wrappers has recorded connection attempts from (and if you don't have tcp-wrappers installed, I'd HIGHLY recommend looking into it). - -- Frank Tobin "To learn what is good and what is to be http://www.bigfoot.com/~ftobin valued, those truths which cannot be shaken or changed." Myst: The Book of Atrus FreeBSD: The Power To Serve PGP DH/DSS key ID: 0xF40EB65E fingerprint: 1502 6E84 8C08 E828 7945 3F4A 02F8 503A F40E B65E -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBNgWG/QL4UDr0DrZeEQJZQQCdHnw+UWSMSRpB+q9Ys/jh0Xzom7sAn1pP tD13a4DLkboJe1k7gtSP0Nt4 =rha0 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message