From owner-freebsd-security Tue Feb 2 02:27:04 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA21342 for freebsd-security-outgoing; Tue, 2 Feb 1999 02:27:04 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.digital-canvas.com (ns.digital-canvas.com [210.161.219.162]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA21336 for ; Tue, 2 Feb 1999 02:27:01 -0800 (PST) (envelope-from daniel@digital-canvas.com) Received: from basecamp (ppp965.kt.rim.or.jp [202.247.132.165]) by ns.digital-canvas.com (8.9.1/3.7W) with SMTP id TAA09988; Tue, 2 Feb 1999 19:22:36 +0900 (JST) Message-ID: <003901be4e95$c2c58210$1400a8c0@basecamp.digital-canvas.com> Reply-To: "Daniel Minoru Saito" From: "Daniel Minoru Saito" To: "David G Andersen" , Cc: Subject: Re: what were these probes? Date: Tue, 2 Feb 1999 19:21:11 +0900 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wait.. look where its originating out of.. from the nameserver. I bet ya that that ns.cwm.com was hacked using the dns exploit. From there the attack originated on.. So it would be in the best interest to say to the administrator of cwm.com to do a security check. Daniel Saito -----Original Message----- From: David G Andersen Subject: Re: what were these probes? >Lo and behold, Dan Langille once said: >> >> Hi folks, >> >> Tonight I found these entries in my log files. What were they looking >> for? Was this a spammer looking for exploits? > > I doubt it was a spammer. It was most likely a cracker (pick your >favorite term for "a malicious jerk") or script kiddie looking for an >exploit. Based on the timing, they were fairly obviously using an >automated scanning tool to scan your system. > > You'll probably want to report this to the people who own ns.cvvm.com - >it's fairly likely that their box has been hacked. > >105 torrey:~> whois cvvm.com > >Registrant: >Cowichan Valley Virtual Mall (CVVM-DOM) > 103 - 2700 Beverly St > Duncan, BC V9L5C7 > CA > > Domain Name: CVVM.COM > > Administrative Contact: > Goodliffe, M (MG2727) myke@ISLAND.NET > 1-250-748-0818 > Technical Contact, Zone Contact: > Fraser, Tony (TF1661) frasert@ISLANDNET.COM > 1-250-245-2984 > Billing Contact: > Goodliffe, M (MG2727) myke@ISLAND.NET > 1-250-748-0818 > > > That really happens to suck, since the box that was hacked (or harboring >a malicious person) is their nameserver. The box appears to be offline >right now - it won't answer nameservice queries, etc., so the owners >probably know it was compromised, but sending them a note can't hurt. > > -Dave > >> >> http: >> >> ns.cvvm.com - - [02/Feb/1999:17:34:28 +1300] "GET /cgi-bin/phf HTTP/1.0" >> 404 164 >> ns.cvvm.com - - [02/Feb/1999:17:34:29 +1300] "GET /cgi-bin/Count.cgi >> HTTP/1.0" 404 170 >> ns.cvvm.com - - [02/Feb/1999:17:34:30 +1300] "GET /cgi-bin/test-cgi >> HTTP/1.0" 404 169 >> ns.cvvm.com - - [02/Feb/1999:17:34:31 +1300] "GET /cgi-bin/php.cgi >> HTTP/1.0" 404 168 >> ns.cvvm.com - - [02/Feb/1999:17:34:32 +1300] "GET /cgi-bin/handler >> HTTP/1.0" 404 168 >> ns.cvvm.com - - [02/Feb/1999:17:34:33 +1300] "GET /cgi-bin/webgais >> HTTP/1.0" 404 168 >> ns.cvvm.com - - [02/Feb/1999:17:34:34 +1300] "GET /cgi-bin/websendmail >> HTTP/1.0" 404 172 >> ns.cvvm.com - - [02/Feb/1999:17:34:34 +1300] "GET /cgi-bin/webdist.cgi >> HTTP/1.0" 404 172 >> ns.cvvm.com - - [02/Feb/1999:17:34:38 +1300] "GET /cgi-bin/faxsurvey >> HTTP/1.0" 404 170 >> ns.cvvm.com - - [02/Feb/1999:17:34:39 +1300] "GET /cgi-bin/htmlscript >> HTTP/1.0" 404 171 >> ns.cvvm.com - - [02/Feb/1999:17:34:40 +1300] "GET /cgi-bin/pfdisplay.cgi >> HTTP/1.0" 404 174 >> ns.cvvm.com - - [02/Feb/1999:17:34:41 +1300] "GET /cgi-bin/perl.exe >> HTTP/1.0" 404 169 >> ns.cvvm.com - - [02/Feb/1999:17:34:43 +1300] "GET /cgi-bin/wwwboard.pl >> HTTP/1.0" 404 172 >> ns.cvvm.com - - [02/Feb/1999:17:34:47 +1300] "GET /cgi- >> bin/ews/ews/architext_query.pl HTTP/1.0" 404 187 >> ns.cvvm.com - - [02/Feb/1999:17:34:48 +1300] "GET /cgi-bin/jj HTTP/1.0" >> 404 163 >> >> >> telnet: >> >> Feb 2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com >> Feb 2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com >> >> sendmail: >> >> Feb 2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from >> root@ns.cvvm.com [139.142.106.131] >> Feb 2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from >> root@ns.cvvm.com [139.142.106.131] >> >> -- >> Dan Langille >> The FreeBSD Diary >> http://www.FreeBSDDiary.com/freebsd >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > >-- >work: danderse@cs.utah.edu me: angio@pobox.com > University of Utah http://www.angio.net/ > Computer Science - Flux Research Group > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message