|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Mail and web server attack
From: Duane Dunston (pdunston
PFEIFFER.EDU)Date: Tue Mar 14 2000 - 07:54:32 CST
- Next message: Boris Badenov: "TCP port 3218"
- Previous message: Stephen P. Berry: "Munged Napster Sessions"
- In reply to: Tomas : "Mail and web server attack"
- Reply: Duane Dunston: "Re: Mail and web server attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I recently detected several sloppy intrusion attempts on my
web and mail server. The attempts originated from ip
- 209.161.238.144, 207.226.241.155, and 208.184.216.202.
Logins were attempted via telnet, pop3 and imap (command
stream owerflow for the last two). Additionally, the PHF.CGI
exploit was attempted followed by the scripts TEST.CGI and
HANDLER.CGI.
Tomas,
Since all of those services have well-known exploits, it
seems that someone or group of people were trying some basic
attacks to gain access to your system. The may have done it
manually or run a scanner like SATAN or NESSUS to see what
kind of vulnerabilities your system has. The same for the *
.cgi scripts. They all have known security problems. In
particular the test.cgi script that comes by default with
apache can give an attacker information about your system
environment. You read quite often how over 90% of all
compromises are a result of well-known security holes.
Looks like you've taken care of them though.
With metta,
Duane
- Next message: Boris Badenov: "TCP port 3218"
- Previous message: Stephen P. Berry: "Munged Napster Sessions"
- In reply to: Tomas : "Mail and web server attack"
- Reply: Duane Dunston: "Re: Mail and web server attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]