Security Basics mailing list archives
Re: strange cgi-bin entry
From: Nikolai Alexandrov <voyager123bg () gmail com>
Date: Tue, 19 Jul 2005 20:11:30 +0300
It was a symlink. My question was somewhat whether symlink in that direcory (with owner root), linked to itself, could be used for any kind of attack (remote)... I deleted it. There is nothing unusual around that symlink... (I tried the folowing: "ln -s a a", and it gave me simular link linked to itself, pretty dumb infact). I guess some broken script made it. My previous way of creating graphics of the external ip used to work with cgi's like that. I played a while with it, and might screwed up things... now it is gone. Sorry for the false alarm, and thank you all good people for your time and answers. Some of the posts led me into interesting sites... :). (e.g. http://www.portknocking.org/). Once again thank you all.
ps: I wish there was a way more people could read all the stuff i got, it was very interesting, and the more i read this list, the more interesting it gets. Since i know disclosing private e-mails in a public lists is somewhat break of the netiquete, I humbly beg you to Cc your e-mails to security-basics list... I am sure other people wouldn't mind to read interesting stuff too :).
mike () genxweb net wrote:
I would of suggested copying that cgi file to a disk or something to analyse it. You might of been able to view the file usign cat and seeing what the script did.Hello out there, i want to ask you about strange entry i noted in my /cgi-bin directory... ls -la lrwxrwxrwx 1 root root 10 2005-07-08 14:11 AAA.BBB.CCC.DDD.cgi -> AAA.BBB.CCC.DDD.cgi where AAA.BBB.CCC.DDD is a real ip address. I removed the link, and am pretty sure i didn't created it... It is the only entry in the /cgi-bin. My question is: Could this mean my box is compromised? And if so... what should i do next? (reinstall is not a good answer in my case) Thank you in advance. ps: I nmaped the questioned host (from outside), and no unnknown (open) ports were found. Also netstat -nta did not show anything unusual. Logcheck also seemed normal (but if the host is compromised i know i cannot trust the software I run on the same host).
Current thread:
- strange cgi-bin entry Nikolai Alexandrov (Jul 18)
- Message not available
- Re: strange cgi-bin entry Nikolai Alexandrov (Jul 20)
- Message not available