From owner-freebsd-security  Mon Feb  1 22:58:58 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id WAA22530
          for freebsd-security-outgoing; Mon, 1 Feb 1999 22:58:58 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA22523
          for <freebsd-security@FreeBSD.ORG>; Mon, 1 Feb 1999 22:58:56 -0800 (PST)
          (envelope-from danderse@cs.utah.edu)
Received: from lal.cs.utah.edu (lal.cs.utah.edu [155.99.195.65])
	by wrath.cs.utah.edu (8.8.8/8.8.8) with ESMTP id XAA29402;
	Mon, 1 Feb 1999 23:58:55 -0700 (MST)
From: David G Andersen <danderse@cs.utah.edu>
Received: (from danderse@localhost)
	by lal.cs.utah.edu (8.8.8/8.8.8) id AAA20881;
	Tue, 2 Feb 1999 00:00:09 -0700 (MST)
Message-Id: <199902020700.AAA20881@lal.cs.utah.edu>
Subject: Re: what were these probes?
To: junkmale@xtra.co.nz
Date: Tue, 2 Feb 1999 00:00:08 -0700 (MST)
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <19990202055804.YRQY682101.mta1-rme@wocker> from "Dan Langille" at Feb 2, 99 06:58:07 pm
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Lo and behold, Dan Langille once said:
> 
> Hi folks,
> 
> Tonight I found these entries in my log files.  What were they looking 
> for?  Was this a spammer looking for exploits?

   I doubt it was a spammer.  It was most likely a cracker (pick your
favorite term for "a malicious jerk") or script kiddie looking for an
exploit.  Based on the timing, they were fairly obviously using an
automated scanning tool to scan your system.

   You'll probably want to report this to the people who own ns.cvvm.com -
it's fairly likely that their box has been hacked.

105 torrey:~> whois cvvm.com

Registrant:
Cowichan Valley Virtual Mall (CVVM-DOM)
   103 - 2700 Beverly St
   Duncan, BC V9L5C7
   CA

   Domain Name: CVVM.COM

   Administrative Contact:
      Goodliffe, M  (MG2727)  myke@ISLAND.NET
      1-250-748-0818
   Technical Contact, Zone Contact:
      Fraser, Tony  (TF1661)  frasert@ISLANDNET.COM
      1-250-245-2984
   Billing Contact:
      Goodliffe, M  (MG2727)  myke@ISLAND.NET
      1-250-748-0818
                                                                

  That really happens to suck, since the box that was hacked (or harboring
a malicious person) is their nameserver.  The box appears to be offline
right now - it won't answer nameservice queries, etc., so the owners
probably know it was compromised, but sending them a note can't hurt.

   -Dave

> 
> http:
> 
> ns.cvvm.com - - [02/Feb/1999:17:34:28 +1300] "GET /cgi-bin/phf HTTP/1.0" 
> 404 164
> ns.cvvm.com - - [02/Feb/1999:17:34:29 +1300] "GET /cgi-bin/Count.cgi 
> HTTP/1.0" 404 170
> ns.cvvm.com - - [02/Feb/1999:17:34:30 +1300] "GET /cgi-bin/test-cgi 
> HTTP/1.0" 404 169
> ns.cvvm.com - - [02/Feb/1999:17:34:31 +1300] "GET /cgi-bin/php.cgi 
> HTTP/1.0" 404 168
> ns.cvvm.com - - [02/Feb/1999:17:34:32 +1300] "GET /cgi-bin/handler 
> HTTP/1.0" 404 168
> ns.cvvm.com - - [02/Feb/1999:17:34:33 +1300] "GET /cgi-bin/webgais 
> HTTP/1.0" 404 168
> ns.cvvm.com - - [02/Feb/1999:17:34:34 +1300] "GET /cgi-bin/websendmail 
> HTTP/1.0" 404 172
> ns.cvvm.com - - [02/Feb/1999:17:34:34 +1300] "GET /cgi-bin/webdist.cgi 
> HTTP/1.0" 404 172
> ns.cvvm.com - - [02/Feb/1999:17:34:38 +1300] "GET /cgi-bin/faxsurvey 
> HTTP/1.0" 404 170
> ns.cvvm.com - - [02/Feb/1999:17:34:39 +1300] "GET /cgi-bin/htmlscript 
> HTTP/1.0" 404 171
> ns.cvvm.com - - [02/Feb/1999:17:34:40 +1300] "GET /cgi-bin/pfdisplay.cgi 
> HTTP/1.0" 404 174
> ns.cvvm.com - - [02/Feb/1999:17:34:41 +1300] "GET /cgi-bin/perl.exe 
> HTTP/1.0" 404 169
> ns.cvvm.com - - [02/Feb/1999:17:34:43 +1300] "GET /cgi-bin/wwwboard.pl 
> HTTP/1.0" 404 172
> ns.cvvm.com - - [02/Feb/1999:17:34:47 +1300] "GET /cgi-
> bin/ews/ews/architext_query.pl HTTP/1.0" 404 187
> ns.cvvm.com - - [02/Feb/1999:17:34:48 +1300] "GET /cgi-bin/jj HTTP/1.0" 
> 404 163
> 
> 
> telnet:
> 
> Feb  2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com
> Feb  2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com
> 
> sendmail:
> 
> Feb  2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from 
> root@ns.cvvm.com [139.142.106.131]
> Feb  2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from 
> root@ns.cvvm.com [139.142.106.131]
> 
> --
> Dan Langille
> The FreeBSD Diary
> http://www.FreeBSDDiary.com/freebsd
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


-- 
work: danderse@cs.utah.edu                     me:  angio@pobox.com
      University of Utah                            http://www.angio.net/
      Computer Science - Flux Research Group

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message