[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Re: hack attack?
- Subject: [cobalt-users] Re: hack attack?
- From: georg_ml@xxxxxxxxxxxxxxx
- Date: Wed Nov 22 22:58:01 2000
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Garry,
Looks like an CGI-Scanner, having been targeted on your machin, whta they
do is to search for cgi-programs installed on your machine, which ar known
to have security flaws; this scanner checks their availabilitya and logs
found ones. Later the person who started the Scanner will get the results
on the found ones and might further exploit them. So make sure none of
these exsist on you machine, or at least are realy secured.
According to the IP address, it looks like a dial-up user from Italy,
his/her ISP is:
inetnum: 212.41.192.0 - 212.41.208.255
netname: GALACTICA
descr: GALACTICA S.p.A.
descr: Internet Service Provider
country: IT
admin-c: LP187-RIPE
tech-c: AG1488-RIPE
status: ASSIGNED PA
notify: sysalt@xxxxxxxxxxxx
mnt-by: GALACTICA-NOC
changed: sysalt@xxxxxxxxxxxx 20000517
source: RIPE
http://www.galactica.it/web/
You might wanna inform them on this attempt, however according to my
understanding, this activity not really illegal, as it's just a USerAgent
(Browser, et al.) to request various "pages" from your server.
hope this helps regards Georg
Message: 18
From: "Garry Mills" <garry@xxxxxxxxxxxxx>
Organization: Stoneleaf Internet
To: cobalt-users@xxxxxxxxxxxxxxx
Date: Wed, 22 Nov 2000 13:31:15 -0000
Reply-to: garry@xxxxxxxxxxxxx
Subject: [cobalt-users] hack attack?
Just found this lot in my log file for the main domain for my site:
213.167.206.222 - - [15/Oct/2000:08:59:08 +0100] "GET /cgi-
bin/phf HTTP/1.0" 302 216 "-" "-"
213.167.206.222 - - [15/Oct/2000:08:59:09 +0100] "GET /cgi-
bin/Count.cgi HTTP/1.0" 302 222 "-" "-"
213.167.206.222 - - [15/Oct/2000:08:59:10 +0100] "GET /cgi-
bin/test-cgi HTTP/1.0" 302 221 "-" "-"
213.167.206.222 - - [15/Oct/2000:08:59:11 +0100] "GET /cgi-
bin/php.cgi HTTP/1.0" 302 220 "-" "-"
213.167.206.222 - - [15/Oct/2000:08:59:13 +0100] "GET /cgi-
bin/handler HTTP/1.0" 302 220 "-" "-"
213.167.206.222 - - [15/Oct/2000:08:59:14 +0100] "GET /cgi-
bin/webgais HTTP/1.0" 302 220 "-" "-"
213.167.206.222 - - [15/Oct/2000:08:59:15 +0100] "GET /cgi-
bin/websendmail HTTP/1.0" 302 224 "-" "-"
213.167.206.222 - - [15/Oct/2000:08:59:16 +0100] "GET /cgi-
bin/webdist.cgi HTTP/1.0" 302 224 "-" "-"
213.167.206.222 - - [15/Oct/2000:08:59:16 +0100] "GET /cgi-
bin/faxsurvey HTTP/1.0" 302 222 "-" "-"
213.167.206.222 - - [15/Oct/2000:08:59:17 +0100] "GET /cgi-
bin/htmlscript HTTP/1.0" 302 223 "-" "-"
213.167.206.222 - - [15/Oct/2000:08:59:19 +0100] "GET /cgi-
bin/pfdisplay.cgi HTTP/1.0" 302 226 "-" "-"
213.167.206.222 - - [15/Oct/2000:08:59:20 +0100] "GET /cgi-
bin/perl.exe HTTP/1.0" 302 221 "-" "-"
213.167.206.222 - - [15/Oct/2000:08:59:28 +0100] "GET /cgi-bin/jj
HTTP/1.0" 302 215 "-" "-"
213.167.206.222 - - [15/Oct/2000:08:59:36 +0100] "GET /cgi-
bin/wrap HTTP/1.0" 302 217 "-" "-"
213.167.206.222 - - [15/Oct/2000:08:59:38 +0100] "GET /cgi-
bin/whois_raw.cgi HTTP/1.0" 302 226 "-" "-"
213.167.206.222 - - [15/Oct/2000:08:59:39 +0100] "GET /cgi-
bin/form.cgi HTTP/1.0" 302 221 "-" "-"
213.167.206.222 - - [15/Oct/2000:08:59:41 +0100] "GET /cgi-
bin/message.cgi HTTP/1.0" 302 224 "-" "-"
213.167.206.222 - - [15/Oct/2000:08:59:58 +0100] "GET
/scripts/convert.bas HTTP/1.0" 302 224 "-" "-"
213.167.206.222 - - [15/Oct/2000:08:59:59 +0100] "GET /cgi-
bin/finger HTTP/1.0" 302 219 "-" "-"
213.167.206.222 - - [15/Oct/2000:09:00:00 +0100] "GET /cgi-
bin/webwho.pl HTTP/1.0" 302 222 "-" "-"
Anybody got any pointers?
TIA
Garry
Garry Mills
Stoneleaf Internet
Tel: 01723 506636
Fax: 01723 506630
Mob: 0410 002164