from the quill of hhantman @
eo .
ray .
com (Howard Hantman) on scroll
<9607111219 .
AA25794 @
eo .
ray .
com>
>> Well, folks, whether or not you try to contact genstar.net or zilker.net
>> is
>> one issue, but I would definately do SOMETHING, at least on your own
>> systems.
>> Both of these log snippets indicate a SUCCESSFUL use of this attack.
>> Especially
>> now that you've published your vulnerability to the world, I hope you're
>> disabling the script!
>
>From: Brian Murrell <Brian_Murrell @
bctel .
net>
>
>Not necessarily. Those look similar to the log files on our server,
>however if one looks at the corresponding errors file (for the Netscape
>server) one will notice error messages regarding the access and how the
>file could not be found.
Brian is correct. The access logs of the WWW servers I've used log all
attempts, whether or not they are successful. We also were probed:
152.169.232.79 - - [03/Jul/1996:17:09:06 -0400] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
This attempt failed, as we did not have a phf CGI script. Interestingly, here
is the whois:
> whois -h rs.internic.net 152.169.232.0
No match for "152.169.232.0".
The InterNIC Registration Services Host contains ONLY Internet Information
(Networks, ASN's, Domains, and POC's).
Please use the whois server at nic.ddn.mil for MILNET Information.
...and:
> whois 152.169.232.0
No match for "152.169.232.0".
Please be advised that this whois server only contains DOD Information.
All INTERNET Domain, IP Network Number, and ASN records are kept in
the Internet Registry, RS.INTERNIC.NET.
...and nslookup:
> nslookup 152.169.232.79
Server: omsk.yourtown.com
Address: 205.246.66.7
Name: [152.169.232.79]
Address: 152.169.232.79
-----------------------------
This person seems to have covered their tracks pretty well. Any ideas on
tracking them??
Bill Van Emburg
Quadrix Solutions, Inc.
(bve @
quadrix .
com)
(http://yourtown.com)
"You do what you want, and if you didn't, you don't"
Follow-Ups:
|
|
