OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Len Sassaman (rabbiQUICKIE.NET)
Date: Wed May 09 2001 - 18:41:19 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I sent the following email to several CNET contacts last week regarding
    atttempts to obtain one of my server's /etc/passwd file. I got no response
    from CNET, and I am curious to know if anyone else is being probed in this
    way.

    --Len.

    ---------- Forwarded message ----------
    Date: Thu, 3 May 2001 12:42:45 -0700 (PDT)
    From: abusedeor.org
    To: hostmastercnet.com, domain-admincnet.com
    Cc: sashapcnet.com

    Dear CNET Admins,

    It appears that a user on your network is attempting to exploit a
    vulnerability in HTTP-to-finger gateways. I discovered, in the below
    quoted logs, what looks to be an attempt to get our webserver to execute
    local commands and print the output to the web page. (Your user searched
    google.com for the finger.pl script, then attempted to view our passwd
    file and directory listings, ostensibly so that he could crack legitimate
    users' passwords and gain shell access to the system.).

    While this individual was not successful in his attempt on our system, he
    may be doing this to other systems as well.

    Please let me know what action you are taking to prevent this from
    occurring in the future. Also, please preserve all logs, IP assignments,
    and other data you have pertaining to this incident while it is being
    investigated. I would appreciate a response today, if possible.

    Thank you,

    Len Sassaman

    86-241.cnet.com - - [02/May/2001:17:15:11 -0700] "GET
    /cgi-bin/finger.pl?rabbi HTTP/1.1" 200 37040
    "http://www.google.com/search?as_q=&num=10&btnG=Google+Search&as_epq=finger.pl&as_oq=&as_eq=&as_occt=url&lr=&as_dt=i&as_sitesearch=&safe=off"
    "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
    86-241.cnet.com - - [02/May/2001:17:15:23 -0700] "GET /cgi-bin/finger.pl?
    HTTP/1.1" 200 357 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT
    5.0)"
    86-241.cnet.com - - [02/May/2001:17:15:40 -0700] "GET
    /cgi-bin/finger.pl?|cat</etc/passwd HTTP/1.1" 200 189 "-" "Mozilla/4.0
    (compatible; MSIE 5.01; Windows NT 5.0)"
    86-241.cnet.com - - [02/May/2001:17:15:47 -0700] "GET
    /cgi-bin/finger.pl?;cat</etc/passwd HTTP/1.1" 200 189 "-" "Mozilla/4.0
    (compatible; MSIE 5.01; Windows NT 5.0)"
    86-241.cnet.com - - [02/May/2001:17:15:56 -0700] "GET
    /cgi-bin/finger.pl?|ls HTTP/1.1" 200 176 "-" "Mozilla/4.0 (compatible;
    MSIE 5.01; Windows NT 5.0)"
    86-241.cnet.com - - [02/May/2001:17:16:10 -0700] "GET
    /cgi-bin/finger.pl?userhost HTTP/1.1" 200 140 "-" "Mozilla/4.0
    (compatible; MSIE 5.01; Windows NT 5.0)"