epadinWAGWEB.COM

• Next message: Granquist, Lamont: "Re: Syn and Fin in different packets together"
• Previous message: Chris Adams: "Re: FTP connection attempts"
• Maybe in reply to: Jose Nazario: "Scans from udel.edu and tue.nl"
• Maybe reply: Ed Padin: "Re: Scans from udel.edu and tue.nl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I got this one also and wrote to Gunnar.PfeilRZ.Uni-Jena.DE as listed in
the ripe.net whois listing. They actually responded and told me that they
were investigating it.

>-----Original Message-----
>From: Matthew S. Hallacy [mailto:mhallacyMERCURY.XTRATYME.COM]
>Sent: Wednesday, March 22, 2000 10:41 PM
>To: INCIDENTSSECURITYFOCUS.COM
>Subject: Re: Scans from udel.edu and tue.nl
>
>
>[largish snip]
>>
>> It's likely that other readers have seen these problems as well.
>
>Yes actually, all of our webservers (on different /24's, i might add)
>recieved this scan:
>
>fsuj83.rz.uni-jena.de - - [16/Mar/2000:20:10:56 -0600] "POST
>/cgi-bin/phf?Qname=x%0a/bin/sh+-s%0a HTTP/1.0" 404 205
>
>of course, it wasnt there, but it still set off a few alarms =)
>
>(isp was unresponsive, of course, if anyone has a good contact i'd
>appreciate it)
>
>As for that udel machine, I remember a guy a used to know on IRC who
>always used it, but he got raided by the FBI last June I
>believe in that
>big gH thing though =P
>
>>
>> jose nazario
>josebiochemistry.cwru.edu
>> PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
>> Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
>>
>

• Next message: Granquist, Lamont: "Re: Syn and Fin in different packets together"
• Previous message: Chris Adams: "Re: FTP connection attempts"
• Maybe in reply to: Jose Nazario: "Scans from udel.edu and tue.nl"
• Maybe reply: Ed Padin: "Re: Scans from udel.edu and tue.nl"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]