Date: Sun, 20 Sep 1998 15:39:05 -0700 (PDT) From: Marc Slemko <marcs@znep.com> To: Brett Glass <brett@lariat.org> Cc: security@FreeBSD.ORG Subject: Re: Bogus hits on our Web server Message-ID: <Pine.GSO.4.02A.9809201536270.29852-100000@redfish> In-Reply-To: <199809202128.PAA11447@lariat.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 20 Sep 1998, Brett Glass wrote: > We've gotten several spates of Web log entries like the following: > > 62.8.15.131 unknown - [20/Sep/1998:10:43:16 -0600] "GET /cgi-bin/phf" 404 - > 62.8.15.131 unknown - [20/Sep/1998:10:43:17 -0600] "GET /cgi-bin/test-cgi" > 404 - > 62.8.15.131 unknown - [20/Sep/1998:10:43:18 -0600] "GET /cgi-bin/handler" > 404 - > > and > > 38.11.110.182 root - [20/Sep/1998:13:37:16 -0600] "GET /cgi-bin/phf" 404 - > 38.11.110.182 root - [20/Sep/1998:13:37:19 -0600] "GET /cgi-bin/test-cgi" > 404 - > 38.11.110.182 root - [20/Sep/1998:13:37:22 -0600] "GET /cgi-bin/handler" 404 - > > Is this a mass attack by a bunch of "skript kiddies?" What's going on? Yup, that is what it looks like. They appear to be basing their probing on servers listed as DNS servers for various domains. If you look at your logs, you will probably find ftp, telnet, imap, and pop connections as well. imap and pop are probably looking for obvious holes, telnet I guess just to try to find the OS, finger to look for activity or accounts to crack. We have seen a dozen or so sites pulling this in the past week, most of ours appear to be boxes that have been broken into. Don't know if it is one group or some stupid lame-assed script that a bunch of morons are trying. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.02A.9809201536270.29852-100000>