|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: CGI scans from Strauss.udel.edu -- They're back
From: Matthew S. Hallacy (mhallacy
MERCURY.XTRATYME.COM)Date: Mon Apr 17 2000 - 00:33:32 CDT
- Next message: Network Security: "Re: CGI scans from Strauss.udel.edu -- They're back"
- Previous message: Heiko Degenhardt: "Re: fragment attack of some kind ?"
- In reply to: Jose Nazario: "CGI scans from Strauss.udel.edu -- They're back"
- Next in thread: Omachonu Ogali: "Re: CGI scans from Strauss.udel.edu -- They're back"
- Next in thread: Network Security: "Re: CGI scans from Strauss.udel.edu -- They're back"
- Reply: Matthew S. Hallacy: "Re: CGI scans from Strauss.udel.edu -- They're back"
- Reply: Omachonu Ogali: "Re: CGI scans from Strauss.udel.edu -- They're back"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Well,
Interesting ports on strauss.udel.edu (128.175.13.74):
Port State Protocol Service
21 open tcp ftp
22 open tcp ssh
23 open tcp telnet
25 open tcp smtp
53 open tcp domain
79 open tcp finger
111 open tcp sunrpc
113 open tcp auth
137 filtered tcp netbios-ns
138 filtered tcp netbios-dgm
139 filtered tcp netbios-ssn
512 open tcp exec
513 open tcp login
514 open tcp shell
604 open tcp unknown
607 open tcp nqs
608 open tcp sift-uft
660 open tcp unknown
666 open tcp doom
4045 open tcp lockd
7100 open tcp font-service
although bind, and sendmail seem to be up to date, they're running ssh
1.2.27, wu-ftpd 6.0, no anon ftp.
I'm really quite sick of seeing this host turn up in probes all over the
place.
Apprently it *is* a multi user machine, it's also the backup MX for
udel.edu:
[rootsol /root]# host -t mx udel.edu
udel.edu mail is handled (pri=10) by copland.udel.edu
udel.edu mail is handled (pri=20) by strauss.udel.edu
which means they've likely got tons of user accounts, with bad passwords.
On Sat, 15 Apr 2000, Jose Nazario wrote:
> Hi all,
>
> Last month I reported some campus wide probes by the machine
> strauss.udel.edu to our domain (cwru.edu), and many other domains turned
> up as being hit. A few messages back and forth and things were, we hoped,
> cleared up.
>
> It looks like their problem has returned. This is from my logs the other
> day:
>
> >From a web server:
>
> strauss.udel.edu - - [13/Apr/2000:00:24:43 -0400] "GET
> /cgi-bin/counter/nl/ord/lang=english(1);system("$ENV{HTTP_X}"); HTTP/1.0" 404 256
>
> >From a workstation:
>
> [13/Apr/1999:00:15:11] config: for host strauss.udel.edu trying to GET /c
> gi-bin/counter/nl/ord/lang=english(1);system("$ENV{HTTP_X}");, check-acl
> reports: ACL name httpd-nameserver-WRITE not defined
>
> A memo was sent on Thursday, but no response has yet been received. I know
> at least one other site admin has contacted me with the same scan, so it
> will most likely be widespread.
>
> I'd like to know what function strauss.udel.edu servrs. Is it a general
> udel.edu campus web proxy? By cutting it off at the border will I cut off
> every legitimate user, too, from udel.edu?
>
> Thanks,
>
> jose nazario josebiochemistry.cwru.edu
> PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
> Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
>
- Next message: Network Security: "Re: CGI scans from Strauss.udel.edu -- They're back"
- Previous message: Heiko Degenhardt: "Re: fragment attack of some kind ?"
- In reply to: Jose Nazario: "CGI scans from Strauss.udel.edu -- They're back"
- Next in thread: Omachonu Ogali: "Re: CGI scans from Strauss.udel.edu -- They're back"
- Next in thread: Network Security: "Re: CGI scans from Strauss.udel.edu -- They're back"
- Reply: Matthew S. Hallacy: "Re: CGI scans from Strauss.udel.edu -- They're back"
- Reply: Omachonu Ogali: "Re: CGI scans from Strauss.udel.edu -- They're back"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]