Re: [cobalt-users] hack attack?

["Brian Curtis" <admin@xxxxxxxxxxx>]

> Just found this lot in my log file for the main domain for my site:
>
> 213.167.206.222 - - [15/Oct/2000:08:59:08 +0100] "GET /cgi-
> bin/phf HTTP/1.0" 302 216 "-" "-"

<SNIP>

> Anybody got any pointers?
>
> TIA
>
> Garry

This is a script kiddy using a pre-compiled exploit-checking suite which
specifically targets scripts/programs that contain known security holes and
reside in a cgi-bin.

Depending on what you have installed on your Raq, you might be able to
modify your TCP Wrappers to deny access (though this only works on programs
which are wrapped, and that doesn't include Apache but helps to defer
additional exploit attempts of other services), use ipchains or equiv. to
deny access at the kernel level, or at minimum modify your httpd.conf to
"deny from .flat.galactica.it".  These all have implications, including
denying all customers of .flat.galactica.it access to your server.

Most likely this is coming from a dynamic IP (reverse lookup provided
213-167-206-222.flat.galactica.it), so banning just that specific IP may
only work for a limited time.  Best bet is to keep a close eye on your logs
for a while.  Most likely this is one of those kiddies looking for a quick
thrill by hacking a server using a well known exploit, and fail most of the
time.  However you cannot be too careful, and reporting this activity should
be considered.

I will send you, offline, a list of the network admins and domain contacts
related to the origin of the exploit attempt.  I find the about 50% of the
reports I submit are NOT responded to when the origin of the attack is from
another country.  Make that 100% if it originates from Japan.

Ahhh, the joys of "global access"...

--
Brian Curtis