Date: Tue, 2 Feb 1999 00:00:08 -0700 (MST) From: David G Andersen <danderse@cs.utah.edu> To: junkmale@xtra.co.nz Cc: freebsd-security@FreeBSD.ORG Subject: Re: what were these probes? Message-ID: <199902020700.AAA20881@lal.cs.utah.edu> In-Reply-To: <19990202055804.YRQY682101.mta1-rme@wocker> from "Dan Langille" at Feb 2, 99 06:58:07 pm
next in thread | previous in thread | raw e-mail | index | archive | help
Lo and behold, Dan Langille once said:
>
> Hi folks,
>
> Tonight I found these entries in my log files. What were they looking
> for? Was this a spammer looking for exploits?
I doubt it was a spammer. It was most likely a cracker (pick your
favorite term for "a malicious jerk") or script kiddie looking for an
exploit. Based on the timing, they were fairly obviously using an
automated scanning tool to scan your system.
You'll probably want to report this to the people who own ns.cvvm.com -
it's fairly likely that their box has been hacked.
105 torrey:~> whois cvvm.com
Registrant:
Cowichan Valley Virtual Mall (CVVM-DOM)
103 - 2700 Beverly St
Duncan, BC V9L5C7
CA
Domain Name: CVVM.COM
Administrative Contact:
Goodliffe, M (MG2727) myke@ISLAND.NET
1-250-748-0818
Technical Contact, Zone Contact:
Fraser, Tony (TF1661) frasert@ISLANDNET.COM
1-250-245-2984
Billing Contact:
Goodliffe, M (MG2727) myke@ISLAND.NET
1-250-748-0818
That really happens to suck, since the box that was hacked (or harboring
a malicious person) is their nameserver. The box appears to be offline
right now - it won't answer nameservice queries, etc., so the owners
probably know it was compromised, but sending them a note can't hurt.
-Dave
>
> http:
>
> ns.cvvm.com - - [02/Feb/1999:17:34:28 +1300] "GET /cgi-bin/phf HTTP/1.0"
> 404 164
> ns.cvvm.com - - [02/Feb/1999:17:34:29 +1300] "GET /cgi-bin/Count.cgi
> HTTP/1.0" 404 170
> ns.cvvm.com - - [02/Feb/1999:17:34:30 +1300] "GET /cgi-bin/test-cgi
> HTTP/1.0" 404 169
> ns.cvvm.com - - [02/Feb/1999:17:34:31 +1300] "GET /cgi-bin/php.cgi
> HTTP/1.0" 404 168
> ns.cvvm.com - - [02/Feb/1999:17:34:32 +1300] "GET /cgi-bin/handler
> HTTP/1.0" 404 168
> ns.cvvm.com - - [02/Feb/1999:17:34:33 +1300] "GET /cgi-bin/webgais
> HTTP/1.0" 404 168
> ns.cvvm.com - - [02/Feb/1999:17:34:34 +1300] "GET /cgi-bin/websendmail
> HTTP/1.0" 404 172
> ns.cvvm.com - - [02/Feb/1999:17:34:34 +1300] "GET /cgi-bin/webdist.cgi
> HTTP/1.0" 404 172
> ns.cvvm.com - - [02/Feb/1999:17:34:38 +1300] "GET /cgi-bin/faxsurvey
> HTTP/1.0" 404 170
> ns.cvvm.com - - [02/Feb/1999:17:34:39 +1300] "GET /cgi-bin/htmlscript
> HTTP/1.0" 404 171
> ns.cvvm.com - - [02/Feb/1999:17:34:40 +1300] "GET /cgi-bin/pfdisplay.cgi
> HTTP/1.0" 404 174
> ns.cvvm.com - - [02/Feb/1999:17:34:41 +1300] "GET /cgi-bin/perl.exe
> HTTP/1.0" 404 169
> ns.cvvm.com - - [02/Feb/1999:17:34:43 +1300] "GET /cgi-bin/wwwboard.pl
> HTTP/1.0" 404 172
> ns.cvvm.com - - [02/Feb/1999:17:34:47 +1300] "GET /cgi-
> bin/ews/ews/architext_query.pl HTTP/1.0" 404 187
> ns.cvvm.com - - [02/Feb/1999:17:34:48 +1300] "GET /cgi-bin/jj HTTP/1.0"
> 404 163
>
>
> telnet:
>
> Feb 2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com
> Feb 2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com
>
> sendmail:
>
> Feb 2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from
> root@ns.cvvm.com [139.142.106.131]
> Feb 2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from
> root@ns.cvvm.com [139.142.106.131]
>
> --
> Dan Langille
> The FreeBSD Diary
> http://www.FreeBSDDiary.com/freebsd
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
--
work: danderse@cs.utah.edu me: angio@pobox.com
University of Utah http://www.angio.net/
Computer Science - Flux Research Group
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199902020700.AAA20881>