Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Scans from udel.edu and tue.nl
From: razor () LDC RO (Alexandru Popa)
Date: Wed, 22 Mar 2000 13:52:56 +0200

On Tue, 21 Mar 2000, Jose Nazario wrote:


Hi,

      [Local hostnames have been munged, outside addresses are real]

I wanted to write a quick note to you guys about two sets of web scans we
have seen on the CWRU campus these past few days. The first is from the
University of Delaware, with some classic cgi-bin attempts:

strauss.udel.edu - - [19/Mar/2000:11:41:23 -0500] "GET
/cgi-bin/counterfiglet/nc/f=;echo;echo%20{_begin-counterfiglet_};uname%20-a;id;w;echo%20{_end-counterfiglet_};echo
HTTP/1.0" 404 301
strauss.udel.edu - - [19/Mar/2000:21:44:53 -0500] "POST /cgi-bin/test-cgi
HTTP/1.0" 404 210
strauss.udel.edu - - [20/Mar/2000:18:47:53 -0500] "POST /cgi-bin/perl
HTTP/1.0" 404 206
strauss.udel.edu - - [21/Mar/2000:00:31:37 -0500] "POST /cgi-bin/sh
HTTP/1.0" 404 204
strauss.udel.edu - - [21/Mar/2000:01:16:06 -0500] "GET
/cgi-bin/query?x=%3C%21%2D%2D%23%65%78%65%63%20%63%6D%64%3D%22%2F%75%73%72%2F%62%69%6E%2F%69%64%22%2D%2D%3E
HTTP/1.0" 404 207


Confirmed, seen here on March 21, 06:23 GMT, from same source

Also, can anyone explain what exactly they've been trying to exploit by
the percent-full string? It translates to

/cgi-bin/query?x=<!--#exec cmd="/usr/bin/id"-->

[snip]


Mar 19 09:23:25 4C:workstation rexecd[14897]: refused connect from
svstud.win.tue.nl



Seen here too, March 19, 6 full network sweeps, at (EET, NTP stratum 3):
07:14:39
09:08:23
11:47:26
12:57:40
13:00:03
16:42:41


Both were campus wide probes for web access via cgi-bin and rexecd access
(port 512/TCP).

It's likely that other readers have seen these problems as well.

jose nazario                                  jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc



------------+------------------------------------------
Alex Popa,  |There never was a good war or a bad peace
razor () ldc ro|                   -- B. Franklin
------------+------------------------------------------
"It took the computing power of three C-64s to fly to the Moon.
It takes a 486 to run Windows 95. Something is wrong here."

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]