From owner-freebsd-security  Mon Feb  1 23:23:31 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id XAA26779
          for freebsd-security-outgoing; Mon, 1 Feb 1999 23:23:31 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from inet.chip-web.com (c1003518-a.plstn1.sfba.home.com [24.1.82.47])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id XAA26764
          for <freebsd-security@FreeBSD.ORG>; Mon, 1 Feb 1999 23:23:29 -0800 (PST)
          (envelope-from ludwigp@bigfoot.com)
Received: (qmail 15388 invoked from network); 2 Feb 1999 07:23:26 -0000
Received: from speedy.chip-web.com (HELO speedy) (172.16.1.1)
  by inet.chip-web.com with SMTP; 2 Feb 1999 07:23:26 -0000
Message-Id: <4.1.19990201231707.00a17c30@mail-r>
X-Sender: ludwigp2@mail-r
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 
Date: Mon, 01 Feb 1999 23:23:24 -0800
To: junkmale@xtra.co.nz, freebsd-security@FreeBSD.ORG
From: Ludwig Pummer <ludwigp@bigfoot.com>
Subject: Re: what were these probes?
In-Reply-To: <19990202055804.YRQY682101.mta1-rme@wocker>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 09:58 PM 2/1/99 , Dan Langille wrote:
>Hi folks,
>
>Tonight I found these entries in my log files.  What were they looking 
>for?  Was this a spammer looking for exploits?

It looks like it. Probably just some script kiddie. A lot of the holes
being checked for have been publicly known for a while, so folks in charge
of security have fixed them already (or at least, they should have).

>http:
>
>ns.cvvm.com - - [02/Feb/1999:17:34:28 +1300] "GET /cgi-bin/phf HTTP/1.0" 
>404 164

The apache docs refer to a phf security hole in an early version

>ns.cvvm.com - - [02/Feb/1999:17:34:31 +1300] "GET /cgi-bin/php.cgi 
>HTTP/1.0" 404 168

The PHP docs warn that an improperly configured PHP can let web visitors
read any world-readable file on your system.

>ns.cvvm.com - - [02/Feb/1999:17:34:43 +1300] "GET /cgi-bin/wwwboard.pl 
>HTTP/1.0" 404 172

There was a known security hole in one of the web-based message boards.
Don't know if it was wwwboard.
>telnet:
>
>Feb  2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com
>Feb  2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com

That looks like it's not legitimate.

>sendmail:
>
>Feb  2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from 
>root@ns.cvvm.com [139.142.106.131]
>Feb  2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from 
>root@ns.cvvm.com [139.142.106.131]

Ditto.

There's all sorts of jerks out there looking for some fun. I get at least
one or two folks a night knocking on my POP3, IMAP, or Netbios ports.

--Ludwig Pummer ( ludwigp@bigfoot.com )
ICQ UIN: 692441 (  ludwigp@email.com  )

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message