Security Incidents mailing list archives

RE: A small quandary

From: "Jerry Shenk" <jshenk () decommunications com>
Date: Fri, 6 Dec 2002 08:35:36 -0500

Those 'attacks' are all fairly common of scripted attacks, trojans, etc.  If
you know that this traffic is coming from this 'hostile' business
acquanitance (how do you know that?), then perhaps it's worth keeping track
of.  If HBA has a static address, then it might be worth scanning the logs
to see what other pages he's tried to get to.  It might also be interesting
to check the times on the 'attacks' - if the times are very fast, then it's
possible he's using an attack tool or perhaps he's become the unwitting host
to a hostile trojan.

I'd hang onto the information so that if this does end up being an actual
attack you'll have evidence to support your accusation but I don't think you
have enough yet.  There are too many logical explanations for this traffic.

-----Original Message-----
From: Mahoney, Paul [mailto:paul () fiberstarr com]
Sent: Wednesday, December 04, 2002 11:30 PM
To: incidents () securityfocus com
Subject: A small quandary


Hi all,

I have in my possession a log file that implicates a business
acquaintance, who to say the least, might have the attitude to mount an
offensive.

The log file contains many entries like:-

404

/cgi-bin/publisher/search.cgi?dir=jobs&template=;cat+/etc/passwd|&output
_number=10
/perl/ 1 -
/cgi-bin/test-cgi.bat?|ver 1 -
/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c: 1 -
/cgi-bin/mrtg.cgi?cfg=/../../../../../../../../../winnt/win.ini 1 -
/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\\

My question to everyone out there is would anyone be able to tell me if
this kind of attack has the fingerprints of any known software/viruses
in the field or is it a deliberate attempt to gain access to my clients
site?

Your thoughts are welcomed


Paul Mahoney
Director
FiberStarr Systems
www.fiberstarr.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

A small quandary Mahoney, Paul (Dec 05)
- RE: A small quandary Jerry Shenk (Dec 08)
- RE: A small quandary Rob Shein (Dec 08)
- Re: A small quandary H C (Dec 08)
  - RE: A small quandary Bojan Zdrnja (Dec 09)
- Re: A small quandary Mike Katz (Dec 08)
- Re: A small quandary gminick (Dec 08)
- Odd entries in my Security Router logs Julian Young (Dec 09)