Security Incidents mailing list archives
Re: CGI scans from Strauss.udel.edu -- They're back
From: oogali () INTRANOVA NET (Omachonu Ogali)
Date: Tue, 18 Apr 2000 05:27:13 -0400
Just a thought, maybe you could enable identd lookups on the webserver and then if they roll around next time you can have a username to hold on to as someone originating the probe? I'm not sure if you'll have total success with this, but the chances of the prober modifying the identd responses are slim. On Mon, 17 Apr 2000, Matthew S. Hallacy wrote:
Well, Interesting ports on strauss.udel.edu (128.175.13.74): Port State Protocol Service 21 open tcp ftp 22 open tcp ssh 23 open tcp telnet 25 open tcp smtp 53 open tcp domain 79 open tcp finger 111 open tcp sunrpc 113 open tcp auth 137 filtered tcp netbios-ns 138 filtered tcp netbios-dgm 139 filtered tcp netbios-ssn 512 open tcp exec 513 open tcp login 514 open tcp shell 604 open tcp unknown 607 open tcp nqs 608 open tcp sift-uft 660 open tcp unknown 666 open tcp doom 4045 open tcp lockd 7100 open tcp font-service although bind, and sendmail seem to be up to date, they're running ssh 1.2.27, wu-ftpd 6.0, no anon ftp. I'm really quite sick of seeing this host turn up in probes all over the place. Apprently it *is* a multi user machine, it's also the backup MX for udel.edu: [root@sol /root]# host -t mx udel.edu udel.edu mail is handled (pri=10) by copland.udel.edu udel.edu mail is handled (pri=20) by strauss.udel.edu which means they've likely got tons of user accounts, with bad passwords. On Sat, 15 Apr 2000, Jose Nazario wrote:Hi all, Last month I reported some campus wide probes by the machine strauss.udel.edu to our domain (cwru.edu), and many other domains turned up as being hit. A few messages back and forth and things were, we hoped, cleared up. It looks like their problem has returned. This is from my logs the other day:From a web server:strauss.udel.edu - - [13/Apr/2000:00:24:43 -0400] "GET /cgi-bin/counter/nl/ord/lang=english(1);system("$ENV{HTTP_X}"); HTTP/1.0" 404 256From a workstation:[13/Apr/1999:00:15:11] config: for host strauss.udel.edu trying to GET /c gi-bin/counter/nl/ord/lang=english(1);system("$ENV{HTTP_X}");, check-acl reports: ACL name httpd-nameserver-WRITE not defined A memo was sent on Thursday, but no response has yet been received. I know at least one other site admin has contacted me with the same scan, so it will most likely be widespread. I'd like to know what function strauss.udel.edu servrs. Is it a general udel.edu campus web proxy? By cutting it off at the border will I cut off every legitimate user, too, from udel.edu? Thanks, jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
-- +-------------------------------------------------------------------------+ | Omachonu Ogali oogali () intranova net | | Intranova Networking Group http://tribune.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: C8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-------------------------------------------------------------------------+
Current thread:
- CGI scans from Strauss.udel.edu -- They're back Jose Nazario (Apr 14)
- Re: CGI scans from Strauss.udel.edu -- They're back Tom Perrine (Apr 15)
- Re: CGI scans from Strauss.udel.edu -- They're back Matthew S. Hallacy (Apr 16)
- Re: CGI scans from Strauss.udel.edu -- They're back Omachonu Ogali (Apr 18)
- Rapid Web page harvesting, probably by marketing firm Brett Glass (Apr 18)
- Frontpage Exploits Keith McCammon (Apr 19)
- Re: CGI scans from Strauss.udel.edu -- They're back Elliot L. Tobin (Apr 17)
- Re: CGI scans from Strauss.udel.edu -- They're back Dragos Ruiu (Apr 17)
- Re: CGI scans from Strauss.udel.edu -- They're back Ryan Russell (Apr 18)
- Re: CGI scans from Strauss.udel.edu -- They're back Bryan Seitz (Apr 19)
- Re: CGI scans from Strauss.udel.edu -- They're back Marcelo Magnasco (Apr 18)
- Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 18)
- Re: Rooted through in.identd on Red Hat 6.0 Sebastian (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Dmitry Alyabyev (Apr 20)
(Thread continues...)