|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Scans from udel.edu and tue.nl
From: Alexandru Popa (razor
LDC.RO)Date: Wed Mar 22 2000 - 05:52:56 CST
- Next message: slamTHEGRID.NET: "Linux Security"
- Previous message: Ron Gula: "Re: Looking for program to analyze logs (CMDS from ODS)"
- In reply to: Jose Nazario: "Scans from udel.edu and tue.nl"
- Next in thread: Jose Nazario: "Re: Scans from udel.edu and tue.nl"
- Reply: Alexandru Popa: "Re: Scans from udel.edu and tue.nl"
- Reply: Ryan Russell: "Re: Scans from udel.edu and tue.nl"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Tue, 21 Mar 2000, Jose Nazario wrote:
> Hi,
>
> [Local hostnames have been munged, outside addresses are real]
>
> I wanted to write a quick note to you guys about two sets of web scans we
> have seen on the CWRU campus these past few days. The first is from the
> University of Delaware, with some classic cgi-bin attempts:
>
> strauss.udel.edu - - [19/Mar/2000:11:41:23 -0500] "GET
> /cgi-bin/counterfiglet/nc/f=;echo;echo%20{_begin-counterfiglet_};uname%20-a;id;w;echo%20{_end-counterfiglet_};echo
> HTTP/1.0" 404 301
> strauss.udel.edu - - [19/Mar/2000:21:44:53 -0500] "POST /cgi-bin/test-cgi
> HTTP/1.0" 404 210
> strauss.udel.edu - - [20/Mar/2000:18:47:53 -0500] "POST /cgi-bin/perl
> HTTP/1.0" 404 206
> strauss.udel.edu - - [21/Mar/2000:00:31:37 -0500] "POST /cgi-bin/sh
> HTTP/1.0" 404 204
> strauss.udel.edu - - [21/Mar/2000:01:16:06 -0500] "GET
> /cgi-bin/query?x=%3C%21%2D%2D%23%65%78%65%63%20%63%6D%64%3D%22%2F%75%73%72%2F%62%69%6E%2F%69%64%22%2D%2D%3E
> HTTP/1.0" 404 207
Confirmed, seen here on March 21, 06:23 GMT, from same source
Also, can anyone explain what exactly they've been trying to exploit by
the percent-full string? It translates to
/cgi-bin/query?x=<!--#exec cmd="/usr/bin/id"-->
[snip]
> Mar 19 09:23:25 4C:workstation rexecd[14897]: refused connect from
> svstud.win.tue.nl
>
Seen here too, March 19, 6 full network sweeps, at (EET, NTP stratum 3):
07:14:39
09:08:23
11:47:26
12:57:40
13:00:03
16:42:41
> Both were campus wide probes for web access via cgi-bin and rexecd access
> (port 512/TCP).
>
> It's likely that other readers have seen these problems as well.
>
> jose nazario josebiochemistry.cwru.edu
> PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
> Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
>
------------+------------------------------------------
Alex Popa, |There never was a good war or a bad peace
razorldc.ro| -- B. Franklin
------------+------------------------------------------
"It took the computing power of three C-64s to fly to the Moon.
It takes a 486 to run Windows 95. Something is wrong here."
- Next message: slamTHEGRID.NET: "Linux Security"
- Previous message: Ron Gula: "Re: Looking for program to analyze logs (CMDS from ODS)"
- In reply to: Jose Nazario: "Scans from udel.edu and tue.nl"
- Next in thread: Jose Nazario: "Re: Scans from udel.edu and tue.nl"
- Reply: Alexandru Popa: "Re: Scans from udel.edu and tue.nl"
- Reply: Ryan Russell: "Re: Scans from udel.edu and tue.nl"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]