From bc@mtiweb.com Fri Jul 26 03:43:52 1996 Received: from voyager.mtiweb.com (root@[205.253.3.3]) by suburbia.net (8.7.4/Proff-950810) with SMTP id DAA00918 for ; Fri, 26 Jul 1996 03:43:38 +1000 Received: from mars.mtiweb.com (mars.mtiweb.com [205.253.3.4]) by voyager.mtiweb.com (8.6.13/8.6.13) with SMTP id MAA21499; Thu, 25 Jul 1996 12:39:24 -0500 Date: Thu, 25 Jul 1996 12:40:49 -0500 (CDT) From: Barry Caplin To: "Sacherich, Larry" cc: "'Best-Of-Security'" Subject: Re: BoS: Aggressive Web Vulnerability Probe In-Reply-To: <199607251646.AA00306@gateway.ppg.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII > > I have logged only one probe from sentry.wood.com so far. And > I'm not real happy about it. When I visited their Web site at > www.wood.com they said it was for authorized users only! Who > is wood.com? > > sentry.wood.com - - [15/Jul/1996:09:01:30 -0400] "GET > /cgi-bin/phf?Qalias=foo%0aid" 404 - > Interesting! I also had some probes: error_log:[Sun Jul 14 23:41:56 1996] httpd: access to /www/httpd/cgi-bin/phf failed for sentry.wood.com, reason: script does not exist from - error_log:[Mon Jul 15 06:37:45 1996] httpd: access to /www/httpd/cgi-bin/phf failed for sentry.wood.com, reason: script does not exist from - error_log:[Mon Jul 15 09:42:55 1996] httpd: access to /www/httpd/cgi-bin/phf failed for sentry.wood.com, reason: script does not exist from - error_log:[Mon Jul 15 10:43:19 1996] httpd: access to /www/httpd/cgi-bin/phf failed for sentry.wood.com, reason: script does not exist from - What is interesting about this is not only did the probes come about the same time as on Larry's system, but these log entries represent 4 of my virtual domains. They tried the same probe on each one. They never did try my main domain. I had deleted phf after the vulnerability reports anyway. Barry Barry Caplin MicroWEB Technology, Inc. bc@mtiweb.com http://www.mtiweb.com