Re: vulnerability in glocation.cgi?

[Christine Kronberg <Christine_Kronberg () genua de>]

  Hi,


  That thread dates back to January 2004, but I think I should
  finally deliver the rest of the story. Back in 2004 I reported
  some odd web accesses to one of my webserver seemingly to exploit
  a vulnerability in a script called "glocation". I had never
  heard of such a script, but the tried "ls -la" made me curious
  enough that I wrote a script giving some fake output on that
  command. Now that's what had happened:

  - After an hour "someone" obviously noticed that the return
    code changed from 404 file not found to 200. After that other
    commands were tested but no longer from a large variety of
    IP addresses but only two.
  - Next morning when I saw that, I added the tried commands to
    my script. The person came back trying more.
  - In the meanwhile the probing for glocation stopped and was
    replaced for script php.cgi, whereami.cgi and test.cgi. None
    of them ever existed on any of my servers.
    For what reason soever it seems to be necessary to get 404
    replies.
  - I asked the webmasters of a second webserver of mine (as the
    first one a name based virtual) to send me the logfiles and
    viola, the same entries. When looked closer I could see that
    each IP address fired all 11 seconds.
  - On the first server the guy had tried to upload some files
    which couldn't work as I did not forsee such an action. I
    downloaded the files after I found the entries in the logfiles.
    One was a perl based backdoor, the second revealed itself
    (with the help of google) to be a kaiten client.

  So the harmless looking probes turned up to be much more. Someone
  was setting up an ddos network. Imho.
  I had notified the ISPs of the "attacking" IP addresses so the
  probing stopped quite soon.

  I'm still wondering about the 404 stuff, but something else gives
  me quite more to think about: the proper way of handling incidents.
  The initial incident above looked so completely harmless that this
  type is usually ignored. And most of these probes may be harmless.
  But there are exceptions. Ignoring incidents sounds wrong to me.
  I do not suggest to honeyscript each funny probe but I wonder about
  the proper actions. File them to the abuse and security departments
  - of course. That may lead to some action - or not, depending on the
  abuse and security department. The guy behind that will not be caught.
  I spoke to the police (ddos is _not_ funny) but they told me from the
  beginning that in cases like that there is no hope. Partially because
  no real damage was done, but the basic problem is the ... not so good
  international collaboration. That makes me unhappy.
  I'm looking for better ways to handle that.

  What is your opinion and line of action?

  Cheers,


                                                    Chris Kronberg.

--
GeNUA mbH