You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Randy Terbush <ra...@zyzzyva.com> on 1996/07/16 17:03:30 UTC
Security probe
I'm forwarding this to Apache since I think it will be of
general interest. This was originally posted by me to the
robot-alert list that Rob Hartill, Brian Gough and I have
recently started.
------- Forwarded Message
Return-Path: robot-alert-request@zyzzyva.com
Received: (from lists@localhost) by sierra.zyzzyva.com (8.7.5/8.6.11) id OAA20125; Tue, 16 Jul 1996 14:56:28 GMT
Resent-Date: Tue, 16 Jul 1996 14:56:28 GMT
Message-Id: <19...@sierra.zyzzyva.com>
To: robot-alert@zyzzyva.com
Subject: Security: CGI probe from sentry.wood.com
X-uri: http://www.zyzzyva.com/
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 16 Jul 1996 09:56:24 -0500
From: Randy Terbush <ra...@zyzzyva.com>
Resent-Message-ID: <"Y...@sierra>
Resent-From: robot-alert@zyzzyva.com
Reply-To: robot-alert@zyzzyva.com
X-Mailing-List: <ro...@zyzzyva.com> archive/latest/18
X-Loop: robot-alert@zyzzyva.com
Precedence: list
Resent-Sender: robot-alert-request@zyzzyva.com
While this is not necessarily a robot issue, I think it will be
of interest to this list. I had the following probes on a number
of our servers. Malicious intent? You be the judge.
First the accesses:
vh_behlen.com/access_log-behlen.com:sentry.wood.com - - [14/Jul/1996:22:43:17 -0500] "GET /cgi-bin/phf?Qalias=foo%0aid" 404 419
vh_cdmasters.com/access_log-cdmasters.com:sentry.wood.com - - [15/Jul/1996:00:26:34 -0500] "GET /cgi-bin/phf?Qalias=foo%0aid" 404 419
vh_cybercrafters.com/access_log-cybercrafters.com:sentry.wood.com - - [15/Jul/1996:10:25:47 -0500] "GET /cgi-bin/phf?Qalias=foo%0aid" 404 419
vh_figureart.com/access_log-figureart.com:sentry.wood.com - - [15/Jul/1996:03:18:35 -0500] "GET /cgi-bin/phf?Qalias=foo%0aid" 404 419
vh_funku.com/access_log-funku.com:sentry.wood.com - - [15/Jul/1996:07:42:14 -0500] "GET /cgi-bin/phf?Qalias=foo%0aid" 404 419
vh_fway.com/access_log-fway.com:sentry.wood.com - - [15/Jul/1996:10:45:34 -0500] "GET /cgi-bin/phf?Qalias=foo%0aid" 404 419
vh_innovativ.com/access_log-innovativ.com:sentry.wood.com - - [15/Jul/1996:04:58:18 -0500] "GET /cgi-bin/phf?Qalias=foo%0aid" 404 419
vh_insvideo.com/access_log-insvideo.com:sentry.wood.com - - [15/Jul/1996:09:22:49 -0500] "GET /cgi-bin/phf?Qalias=foo%0aid" 404 419
vh_northdallas.com/access_log-northdallas.com:sentry.wood.com - - [15/Jul/1996:07:27:53 -0500] "GET /cgi-bin/phf?Qalias=foo%0aid" 404 419
vh_remax-central.com/access_log-remax-central.com:sentry.wood.com - - [15/Jul/1996:02:34:43 -0500] "GET /cgi-bin/phf?Qalias=foo%0aid" 404 419
vh_resch.com/access_log-resch.com:sentry.wood.com - - [15/Jul/1996:06:39:16 -0500] "GET /cgi-bin/phf?Qalias=foo%0aid" 404 419
vh_sportdoc.com/access_log-sportdoc.com:sentry.wood.com - - [15/Jul/1996:04:07:04 -0500] "GET /cgi-bin/phf?Qalias=foo%0aid" 404 419
vh_bee.org/access_log-bee.org:sentry.wood.com - - [15/Jul/1996:03:45:50 -0500] "GET /cgi-bin/phf?Qalias=foo%0aid" 404 419
vh_doesgodexist.org/access_log-doesgodexist.org:sentry.wood.com - - [15/Jul/1996:05:01:23 -0500] "GET /cgi-bin/phf?Qalias=foo%0aid" 404 419
vh_groundwater.org/access_log-groundwater.org:sentry.wood.com - - [15/Jul/1996:05:54:09 -0500] "GET /cgi-bin/phf?Qalias=foo%0aid" 404 419
vh_ncite.org/access_log-ncite.org:sentry.wood.com - - [15/Jul/1996:05:04:38 -0500] "GET /cgi-bin/phf?Qalias=foo%0aid" 404 419
vh_nebmed.org/access_log-nebmed.org:sentry.wood.com - - [15/Jul/1996:05:32:50 -0500] "GET /cgi-bin/phf?Qalias=foo%0aid" 404 419
And the errors:
[Mon Jul 15 05:54:09 1996] access to /docroot/global/groundwater.org/cgi-bin failed for sentry.wood.com, reason: File does not exist
[Mon Jul 15 02:02:55 1996] access to /docroot/global/infotravel.com/cgi-bin/phf failed for 204.253.173.9, reason: File does not exist
[Mon Jul 15 04:58:18 1996] access to /docroot/global/innovativ.com/cgi-bin failed for sentry.wood.com, reason: File does not exist
[Mon Jul 15 05:04:38 1996] access to /docroot/global/ncite.org/cgi-bin failed for sentry.wood.com, reason: File does not exist
[Mon Jul 15 02:34:43 1996] access to /docroot/global/remax-central.com/cgi-bin failed for sentry.wood.com, reason: File does not exist
[Mon Jul 15 04:07:04 1996] access to /docroot/global/sportdoc.com/cgi-bin failed for sentry.wood.com, reason: File does not exist
[Mon Jul 15 10:45:34 1996] access to /docroot/global/fway.com/cgi-bin failed for sentry.wood.com, reason: File does not exist
[Mon Jul 15 07:42:14 1996] access to /docroot/global/funku.com/cgi-bin failed for sentry.wood.com, reason: File does not exist
[Mon Jul 15 10:25:47 1996] access to /docroot/global/cybercrafters.com/cgi-bin failed for sentry.wood.com, reason: File does not exist
[Mon Jul 15 06:39:16 1996] access to /docroot/global/resch.com/cgi-bin failed for sentry.wood.com, reason: File does not exist
[Mon Jul 15 09:22:49 1996] access to /docroot/global/insvideo.com/cgi-bin failed for sentry.wood.com, reason: File does not exist
[Mon Jul 15 07:27:53 1996] access to /docroot/global/northdallas.com/cgi-bin failed for sentry.wood.com, reason: File does not exist
------- End of Forwarded Message
Re: Security probe
Posted by Brian Clapper <bm...@telebase.com>.
>>>>> "Randy" == Randy Terbush <ra...@zyzzyva.com> writes:
Randy> I'm forwarding this to Apache since I think it will be of
Randy> general interest. This was originally posted by me to the
Randy> robot-alert list that Rob Hartill, Brian Gough and I have
Randy> recently started.
For what it's worth, I noticed similar probes here from sentry.wood.com, on
the same date (July 15, 1996). The log entries are more or less identical
to those in the message Randy forwarded, with the prober trying to figure
out what user ID is running the web server.
----
Brian Clapper .............................................. bmc@telebase.com
http://www.netaxs.com/~bmc/ ............. PGP public key available on request
There are two sides to every divorce: yours and the shithead's.
Re: Security probe
Posted by Dean Gaudet <dg...@hotwired.com>.
In article <ho...@sierra.zyzzyva.com>,
Randy Terbush <ne...@hyperreal.com> wrote:
>vh_behlen.com/access_log-behlen.com:sentry.wood.com - - [14/Jul/1996:22:43:17 -0500] "GET /cgi-bin/phf?Qalias=foo%0aid" 404 419
I've been monitoring for accesses to phf for the past 2 or 3 months.
Up until last week we'd see one a week, now we're up to 3 or 4 per day.
wood.com is amongst them. I'm actually going to just start sending the
stuff to CERT (note I'm logging the real ip to avoid reverse dns spoofing)
and hope the CERT blackhole does the right thing. I can deal with
occasional cage rattles, but this is ridiculous.
Previously I'd send a note to the tech contact from whois for the net.
But that's getting tedious.
I know it's a touchy subject to talk about publically, but I'd be
interested in talking with people privately about what security auditing
you do on your server logs.
Dean