Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 2 Feb 1999 00:00:08 -0700 (MST)
From:      David G Andersen <danderse@cs.utah.edu>
To:        junkmale@xtra.co.nz
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: what were these probes?
Message-ID:  <199902020700.AAA20881@lal.cs.utah.edu>
In-Reply-To: <19990202055804.YRQY682101.mta1-rme@wocker> from "Dan Langille" at Feb 2, 99 06:58:07 pm

next in thread | previous in thread | raw e-mail | index | archive | help
Lo and behold, Dan Langille once said:
> 
> Hi folks,
> 
> Tonight I found these entries in my log files.  What were they looking 
> for?  Was this a spammer looking for exploits?

   I doubt it was a spammer.  It was most likely a cracker (pick your
favorite term for "a malicious jerk") or script kiddie looking for an
exploit.  Based on the timing, they were fairly obviously using an
automated scanning tool to scan your system.

   You'll probably want to report this to the people who own ns.cvvm.com -
it's fairly likely that their box has been hacked.

105 torrey:~> whois cvvm.com

Registrant:
Cowichan Valley Virtual Mall (CVVM-DOM)
   103 - 2700 Beverly St
   Duncan, BC V9L5C7
   CA

   Domain Name: CVVM.COM

   Administrative Contact:
      Goodliffe, M  (MG2727)  myke@ISLAND.NET
      1-250-748-0818
   Technical Contact, Zone Contact:
      Fraser, Tony  (TF1661)  frasert@ISLANDNET.COM
      1-250-245-2984
   Billing Contact:
      Goodliffe, M  (MG2727)  myke@ISLAND.NET
      1-250-748-0818
                                                                

  That really happens to suck, since the box that was hacked (or harboring
a malicious person) is their nameserver.  The box appears to be offline
right now - it won't answer nameservice queries, etc., so the owners
probably know it was compromised, but sending them a note can't hurt.

   -Dave

> 
> http:
> 
> ns.cvvm.com - - [02/Feb/1999:17:34:28 +1300] "GET /cgi-bin/phf HTTP/1.0" 
> 404 164
> ns.cvvm.com - - [02/Feb/1999:17:34:29 +1300] "GET /cgi-bin/Count.cgi 
> HTTP/1.0" 404 170
> ns.cvvm.com - - [02/Feb/1999:17:34:30 +1300] "GET /cgi-bin/test-cgi 
> HTTP/1.0" 404 169
> ns.cvvm.com - - [02/Feb/1999:17:34:31 +1300] "GET /cgi-bin/php.cgi 
> HTTP/1.0" 404 168
> ns.cvvm.com - - [02/Feb/1999:17:34:32 +1300] "GET /cgi-bin/handler 
> HTTP/1.0" 404 168
> ns.cvvm.com - - [02/Feb/1999:17:34:33 +1300] "GET /cgi-bin/webgais 
> HTTP/1.0" 404 168
> ns.cvvm.com - - [02/Feb/1999:17:34:34 +1300] "GET /cgi-bin/websendmail 
> HTTP/1.0" 404 172
> ns.cvvm.com - - [02/Feb/1999:17:34:34 +1300] "GET /cgi-bin/webdist.cgi 
> HTTP/1.0" 404 172
> ns.cvvm.com - - [02/Feb/1999:17:34:38 +1300] "GET /cgi-bin/faxsurvey 
> HTTP/1.0" 404 170
> ns.cvvm.com - - [02/Feb/1999:17:34:39 +1300] "GET /cgi-bin/htmlscript 
> HTTP/1.0" 404 171
> ns.cvvm.com - - [02/Feb/1999:17:34:40 +1300] "GET /cgi-bin/pfdisplay.cgi 
> HTTP/1.0" 404 174
> ns.cvvm.com - - [02/Feb/1999:17:34:41 +1300] "GET /cgi-bin/perl.exe 
> HTTP/1.0" 404 169
> ns.cvvm.com - - [02/Feb/1999:17:34:43 +1300] "GET /cgi-bin/wwwboard.pl 
> HTTP/1.0" 404 172
> ns.cvvm.com - - [02/Feb/1999:17:34:47 +1300] "GET /cgi-
> bin/ews/ews/architext_query.pl HTTP/1.0" 404 187
> ns.cvvm.com - - [02/Feb/1999:17:34:48 +1300] "GET /cgi-bin/jj HTTP/1.0" 
> 404 163
> 
> 
> telnet:
> 
> Feb  2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com
> Feb  2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com
> 
> sendmail:
> 
> Feb  2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from 
> root@ns.cvvm.com [139.142.106.131]
> Feb  2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from 
> root@ns.cvvm.com [139.142.106.131]
> 
> --
> Dan Langille
> The FreeBSD Diary
> http://www.FreeBSDDiary.com/freebsd
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


-- 
work: danderse@cs.utah.edu                     me:  angio@pobox.com
      University of Utah                            http://www.angio.net/
      Computer Science - Flux Research Group

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199902020700.AAA20881>