Re: CGI scans from Strauss.udel.edu -- They're back

[oogali () INTRANOVA NET (Omachonu Ogali)]

Just a thought, maybe you could enable identd lookups on the webserver and
then if they roll around next time you can have a username to hold on to
as someone originating the probe? I'm not sure if you'll have total
success with this, but the chances of the prober modifying the identd
responses are slim.

On Mon, 17 Apr 2000, Matthew S. Hallacy wrote:

> Well,
>
> Interesting ports on strauss.udel.edu (128.175.13.74):
> Port    State       Protocol  Service
> 21      open        tcp        ftp
> 22      open        tcp        ssh
> 23      open        tcp        telnet
> 25      open        tcp        smtp
> 53      open        tcp        domain
> 79      open        tcp        finger
> 111     open        tcp        sunrpc
> 113     open        tcp        auth
> 137     filtered    tcp        netbios-ns
> 138     filtered    tcp        netbios-dgm
> 139     filtered    tcp        netbios-ssn
> 512     open        tcp        exec
> 513     open        tcp        login
> 514     open        tcp        shell
> 604     open        tcp        unknown
> 607     open        tcp        nqs
> 608     open        tcp        sift-uft
> 660     open        tcp        unknown
> 666     open        tcp        doom
> 4045    open        tcp        lockd
> 7100    open        tcp        font-service
>
>
> although bind, and sendmail seem to be up to date, they're running ssh
> 1.2.27, wu-ftpd 6.0, no anon ftp.
>
> I'm really quite sick of seeing this host turn up in probes all over the
> place.
>
> Apprently it *is* a multi user machine, it's also the backup MX for
> udel.edu:
>
> [root@sol /root]# host -t mx udel.edu
> udel.edu mail is handled (pri=10) by copland.udel.edu
> udel.edu mail is handled (pri=20) by strauss.udel.edu
>
> which means they've likely got tons of user accounts, with bad passwords.
>
> On Sat, 15 Apr 2000, Jose Nazario wrote:
>
> > Hi all,
> >
> > Last month I reported some campus wide probes by the machine
> > strauss.udel.edu to our domain (cwru.edu), and many other domains turned
> > up as being hit. A few messages back and forth and things were, we hoped,
> > cleared up.
> >
> > It looks like their problem has returned. This is from my logs the other
> > day:
> >
> > > From a web server:
> >
> > strauss.udel.edu - - [13/Apr/2000:00:24:43 -0400] "GET
> > /cgi-bin/counter/nl/ord/lang=english(1);system("$ENV{HTTP_X}"); HTTP/1.0" 404 256
> >
> > > From a workstation:
> >
> > [13/Apr/1999:00:15:11] config: for host strauss.udel.edu trying to GET /c
> > gi-bin/counter/nl/ord/lang=english(1);system("$ENV{HTTP_X}");, check-acl
> > reports: ACL name httpd-nameserver-WRITE not defined
> >
> > A memo was sent on Thursday, but no response has yet been received. I know
> > at least one other site admin has contacted me with the same scan, so it
> > will most likely be widespread.
> >
> > I'd like to know what function strauss.udel.edu servrs. Is it a general
> > udel.edu campus web proxy? By cutting it off at the border will I cut off
> > every legitimate user, too, from udel.edu?
> >
> > Thanks,
> >
> > jose nazario                                        jose () biochemistry cwru edu
> > PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
> > Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc

--
+-------------------------------------------------------------------------+
| Omachonu Ogali                                     oogali () intranova net |
| Intranova Networking Group                 http://tribune.intranova.net |
| PGP Key ID:                                                  0xBFE60839 |
| PGP Fingerprint:       C8 51 14 FD 2A 87 53 D1  E3 AA 12 12 01 93 BD 34 |
+-------------------------------------------------------------------------+