It is currently Tue, 07 Dec 2021 03:35:45 GMT



 
Author Message
 /cgi-bin/phf /cgi-bin/test-cgi /cgi-bin/handler

I've been seeing a number of attacks of this sort recently
from various sites in the http logs.  The time correlation
between the logs on various hosts suggests that the attacker
was scanning sequentially upward in IP addresses.  Since all
tcp and udp packets to ports below 1024 except for http,
smtp, and ident are filtered out for most, including the
attacking, sites, I'm not seeing anything else in the logs.

209.61.73.47 - - [04/Jul/1998:07:19:27 -0500] "GET /cgi-bin/phf" 404 -
209.61.73.47 - - [04/Jul/1998:07:19:28 -0500] "GET /cgi-bin/test-cgi" 404 -
209.61.73.47 - - [04/Jul/1998:07:19:28 -0500] "GET /cgi-bin/handler" 404 -

Is this a signature of some known attackware?  If so, what
other attacks accompany these http probes?

--
qpliu.sbtsfh...@born.ph.utexas.edu



 Fri, 22 Dec 2000 03:00:00 GMT   
 /cgi-bin/phf /cgi-bin/test-cgi /cgi-bin/handler

|209.61.73.47 - - [04/Jul/1998:07:19:28 -0500] "GET /cgi-bin/handler" 404 -
|
|Is this a signature of some known attackware?  If so, what
|other attacks accompany these http probes?

In a web search engine, search for "cgi-bin/handler" and see what comes up.

--
------------------------------------------------------------------------
Timothy J. Lee                                                   timlee@
Unsolicited bulk or commercial email is not welcome.             netcom.com
No warranty of any kind is provided with this message.



 Sat, 23 Dec 2000 03:00:00 GMT   
 /cgi-bin/phf /cgi-bin/test-cgi /cgi-bin/handler

Yes, phf is a well known hole. See
http://www.cert.org/advisories/CA-96.06.cgi_example_code.html

--
Remove the NOSPAM from the reply address
Kevin Connolly, EI4ANB
ICBM: 51 40.2'N   08 29.7'W



 Sun, 24 Dec 2000 03:00:00 GMT   
 /cgi-bin/phf /cgi-bin/test-cgi /cgi-bin/handler

vito (one of a bunch of scripts that try for known holes in webservers) does this in
the order you posted in default configuration. More attacks in the default config are
on mglimpse and campas.

Check any bugtraq archive for vito.

-Martin

--
 Martin Freiss, MF194   | freiss....@sni.de | http://www.rmi.de/~marvin
 Siemens Nixdorf, CC IT Networks, Solution Team Internet/Intranet
Half male, half e-mail.



 Sun, 24 Dec 2000 03:00:00 GMT   
 /cgi-bin/phf /cgi-bin/test-cgi /cgi-bin/handler
In article <6nr99r$4k...@geraldo.cc.utexas.edu>,
jeer.btsfh...@born.ph.utexas.edu (Quowong P Liu) writes,

To follow up, there are reports of finger/telnet/imap/pop3/regex
probes accompanying these.

A little research on www.rootshell.com turns up something
called mscan, which also probes portmapper/statd/named and
X servers, for a range of addresses or all the addresses in
a domain.

In the last week or so, such attacks were logged from these
sites:

  cr543730-a.surrey1.bc.wave.home.com [24.113.45.75]
  210.152.89.1
  207-172-251-229.s38.as2.loc.erols.com [207.172.251.229]
  209.61.73.47
  dixie.introspect.net [199.72.239.200]

as well as reports of one from *.ix.netcom.com, so I
suspect these cookie-cutter attacks are carried out by
"h4x0r" wannabes.

--
qpliu.sbtsfj...@born.ph.utexas.edu



 Sun, 24 Dec 2000 03:00:00 GMT   
 
   [ 5 post ] 

Similar Threads

1. cgi-bin/view-source?cgi-bin/view-source

2. http://host/~user/cgi-bin/test.cgi <-- i see a txt file

3. cgi chpasswd; new approach: No cgi-bin

4. Execute cgi outside of cgi-bin

5. Cannot execute CGI programs in /cgi-bin with Apache

6. Internal Server Error when we run cgi scripts from apache's cgi-bin directory

7. apache: cgi script not in cgi-bin

8. Allowing both cgi-bin and .cgi?

9. counter.cgi in cgi-bin won't work


 
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by ST Software