Security Incidents mailing list archives

Re: A small quandary

From: H C <keydet89 () yahoo com>
Date: Fri, 6 Dec 2002 05:49:11 -0800 (PST)

Paul,

None of the entries seems overly malicious...actually,
a couple of them are hardly original.  From the except
you've provided, it looks as if a scan w/ any one of a
number of scanners was conducted...one that isn't
overly intelligent.  So...other than the scan, I don't
see anything particularly malicious.

If these are all "404"s, then I don't really see where
the quandry is, nor do I see how an offensive would be
mounted...

/cgi-bin/publisher/search.cgi?dir=jobs&template=;cat+/etc/passwd|&output

_number=10



*VERY* old attempt to cat the etc/passwd file.  This
used to be searchable via AltaVista...use of shadowed
password files obviated it.

/perl/ 1 -


Attempt at Perl...

/cgi-bin/test-cgi.bat?|ver 1 -


Attempt at a CGI script.

/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:
1 -

/cgi-bin/mrtg.cgi?cfg=/../../../../../../../../../winnt/win.ini

1 -

/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\\

 


Attempts at dir. transversal on IIS.

My question to everyone out there is would anyone be
able to tell me if
this kind of attack has the fingerprints of any
known software/viruses
in the field or is it a deliberate attempt to gain
access to my clients site?


It's a scan, nothing more.  It would help if you'd
been a little more clear on the response codes...but
the attempts are obviously against a wide range of
systems...the etc/passwd attempt, for example, *used*
to work on Linux/*nix systems.  The last three entries
are specific to IIS.  Whoever ran the scan didn't even
bother to use a scanner intelligent enough to do
banner grabbing in order to narrow down the os/web
server of the target. 

Again, I don't see where the quandry lies, and I don't
see any sort of "attack" in what you've posted.  



__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

A small quandary Mahoney, Paul (Dec 05)
- RE: A small quandary Jerry Shenk (Dec 08)
- RE: A small quandary Rob Shein (Dec 08)
- Re: A small quandary H C (Dec 08)
  - RE: A small quandary Bojan Zdrnja (Dec 09)
- Re: A small quandary Mike Katz (Dec 08)
- Re: A small quandary gminick (Dec 08)
- Odd entries in my Security Router logs Julian Young (Dec 09)