Date: Tue, 2 Feb 1999 00:00:08 -0700 (MST) From: David G Andersen <danderse@cs.utah.edu> To: junkmale@xtra.co.nz Cc: freebsd-security@FreeBSD.ORG Subject: Re: what were these probes? Message-ID: <199902020700.AAA20881@lal.cs.utah.edu> In-Reply-To: <19990202055804.YRQY682101.mta1-rme@wocker> from "Dan Langille" at Feb 2, 99 06:58:07 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Lo and behold, Dan Langille once said: > > Hi folks, > > Tonight I found these entries in my log files. What were they looking > for? Was this a spammer looking for exploits? I doubt it was a spammer. It was most likely a cracker (pick your favorite term for "a malicious jerk") or script kiddie looking for an exploit. Based on the timing, they were fairly obviously using an automated scanning tool to scan your system. You'll probably want to report this to the people who own ns.cvvm.com - it's fairly likely that their box has been hacked. 105 torrey:~> whois cvvm.com Registrant: Cowichan Valley Virtual Mall (CVVM-DOM) 103 - 2700 Beverly St Duncan, BC V9L5C7 CA Domain Name: CVVM.COM Administrative Contact: Goodliffe, M (MG2727) myke@ISLAND.NET 1-250-748-0818 Technical Contact, Zone Contact: Fraser, Tony (TF1661) frasert@ISLANDNET.COM 1-250-245-2984 Billing Contact: Goodliffe, M (MG2727) myke@ISLAND.NET 1-250-748-0818 That really happens to suck, since the box that was hacked (or harboring a malicious person) is their nameserver. The box appears to be offline right now - it won't answer nameservice queries, etc., so the owners probably know it was compromised, but sending them a note can't hurt. -Dave > > http: > > ns.cvvm.com - - [02/Feb/1999:17:34:28 +1300] "GET /cgi-bin/phf HTTP/1.0" > 404 164 > ns.cvvm.com - - [02/Feb/1999:17:34:29 +1300] "GET /cgi-bin/Count.cgi > HTTP/1.0" 404 170 > ns.cvvm.com - - [02/Feb/1999:17:34:30 +1300] "GET /cgi-bin/test-cgi > HTTP/1.0" 404 169 > ns.cvvm.com - - [02/Feb/1999:17:34:31 +1300] "GET /cgi-bin/php.cgi > HTTP/1.0" 404 168 > ns.cvvm.com - - [02/Feb/1999:17:34:32 +1300] "GET /cgi-bin/handler > HTTP/1.0" 404 168 > ns.cvvm.com - - [02/Feb/1999:17:34:33 +1300] "GET /cgi-bin/webgais > HTTP/1.0" 404 168 > ns.cvvm.com - - [02/Feb/1999:17:34:34 +1300] "GET /cgi-bin/websendmail > HTTP/1.0" 404 172 > ns.cvvm.com - - [02/Feb/1999:17:34:34 +1300] "GET /cgi-bin/webdist.cgi > HTTP/1.0" 404 172 > ns.cvvm.com - - [02/Feb/1999:17:34:38 +1300] "GET /cgi-bin/faxsurvey > HTTP/1.0" 404 170 > ns.cvvm.com - - [02/Feb/1999:17:34:39 +1300] "GET /cgi-bin/htmlscript > HTTP/1.0" 404 171 > ns.cvvm.com - - [02/Feb/1999:17:34:40 +1300] "GET /cgi-bin/pfdisplay.cgi > HTTP/1.0" 404 174 > ns.cvvm.com - - [02/Feb/1999:17:34:41 +1300] "GET /cgi-bin/perl.exe > HTTP/1.0" 404 169 > ns.cvvm.com - - [02/Feb/1999:17:34:43 +1300] "GET /cgi-bin/wwwboard.pl > HTTP/1.0" 404 172 > ns.cvvm.com - - [02/Feb/1999:17:34:47 +1300] "GET /cgi- > bin/ews/ews/architext_query.pl HTTP/1.0" 404 187 > ns.cvvm.com - - [02/Feb/1999:17:34:48 +1300] "GET /cgi-bin/jj HTTP/1.0" > 404 163 > > > telnet: > > Feb 2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com > Feb 2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com > > sendmail: > > Feb 2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from > root@ns.cvvm.com [139.142.106.131] > Feb 2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from > root@ns.cvvm.com [139.142.106.131] > > -- > Dan Langille > The FreeBSD Diary > http://www.FreeBSDDiary.com/freebsd > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: danderse@cs.utah.edu me: angio@pobox.com University of Utah http://www.angio.net/ Computer Science - Flux Research Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199902020700.AAA20881>