BVE wrote this...
> Brian is correct. The access logs of the WWW servers I've used log
> all attempts, whether or not they are successful. We also were
> probed:
> 152.169.232.79 - - [03/Jul/1996:17:09:06 -0400] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
> This attempt failed, as we did not have a phf CGI script.
> Interestingly, here is the whois:
> > whois -h rs.internic.net 152.169.232.0
> No match for "152.169.232.0".
try whois -h rs.internic.net 152.169
[snip]
> ...and nslookup:
> > nslookup 152.169.232.79
> Server: omsk.yourtown.com
> Address: 205.246.66.7
> Name: [152.169.232.79]
> Address: 152.169.232.79
try
% nslookup
Default Server: foo.bar.baz
Address: 257.257.257.257
> set type=any
> 169.152.in-addr.arpa.
Server: foo.bar.baz
Address: 257.257.257.257
Non-authoritative answer:
169.152.in-addr.arpa
origin = hp81.prod.aol.net
mail addr = postmaster.hp81.prod.aol.net
serial = 2
refresh = 3600 (1 hour)
retry = 300 (5 mins)
expire = 86400 (1 day)
minimum ttl = 3600 (1 hour)
Authoritative answers can be found from:
[server listings snipped]
> server hp81.prod.aol.net.
Default Server: hp81.prod.aol.net
Address: 192.203.190.18
> ls -d 169.152.in-addr.arpa.
[hp81.prod.aol.net]
*** Can't list domain 169.152.in-addr.arpa.: Query refused
>
now that is a bit more informative but no zone dump unfortuately...
but considering the low serial (2), it probably has very little in the
way of records if any... you might want to traceroute to the address
and try snmp probing the routers closest to the target address.
> This person seems to have covered their tracks pretty well. Any ideas on
> tracking them??
not really, they seemed to have come from aol (assuming there is no
source routing). and since there would seem to be very few records for
this subnet (that i can find anyway), it would also probably be
from a dial in address.
Matt
--
Matthew Keenan Network Administrator First Pacific Stockbrokers
Sydney, Australia
Follow-Ups:
References:
|
|
