Forum Moderators: DixonJones
mtl-hse-ppp186183.qc.sympatico.ca - - [19/May/2003:23:26:17 -0500] "HEAD /index.html HTTP/1.0" 404 0 "-" "Mozilla/5.0 (compatible; MSIE 5.0; Windows 98)"
mtl-hse-ppp186183.qc.sympatico.ca - - [19/May/2003:23:26:17 -0500] "HEAD /_vti_cnf/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\\ HTTP/1.0" 403 0 "-" "Tcs/1.0 build 82"
mtl-hse-ppp186183.qc.sympatico.ca - - [19/May/2003:23:26:17 -0500] "HEAD /%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd HTTP/1.0" 400 0 "-" "Tcs/1.0 build 82"
mtl-hse-ppp186183.qc.sympatico.ca - - [19/May/2003:23:26:17 -0500] "HEAD /cfdocs/exampleapp/email/ HTTP/1.0" 404 0 "-" "Tcs/1.0 build 82"
mtl-hse-ppp186183.qc.sympatico.ca - - [19/May/2003:23:26:17 -0500] "HEAD /cgi-bin/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\\ HTTP/1.0" 404 0 "-" "Tcs/1.0 build 82"
It uses the HEAD term which is new to me and not the GET or POST that I would normally see. At the end this there are to lines that use GET:
"GET /cgi-bin/plusmail HTTP/1.1" 200 3234 "-"
"GET /cgi-bin/php HTTP/1.1" 200 655 "-"
Then the domain change a bit and opened a couple a pages.
Do I need to be concerned about this? I am just trying to understand more.
It could just be a link checker using HEAD to save bandwidth, but the accesses at the end to your cgi and e-mail directories makes it look more like an e-mail address harvester.
You might want to block it by IP address if possible, or use key_master's bad-bot script [webmasterworld.com] to catch it on the fly.
Jim
There must be some tool that has just made it into the cracker community that probes any HTTP server for all currently known web server vulnerabilities - that is why you are seeing requests for cmd.exe and /etc/passwd.
Shouldn't be anything to worry about as long as you are up to date on the patches for your platform.
It is very unlikely to be a personal attack. A script kiddy probably started with a port scan across an IP range it picked out of the sky, then ran a HTTP vulerability probe on anything listening on Port 80.
Redirect /scripts [fbi.gov...]
Redirect /d/winnt/system32/cmd.exe [fbi.gov...]
Redirect /c/winnt/system32/cmd.exe [fbi.gov...]
Redirect /_mem_bin/ [fbi.gov...]
Redirect /msadc/ [fbi.gov...]
Redirect /MSADC/ [fbi.gov...]
Redirect /scripts/ [fbi.gov...]
[edited by: jim_w at 6:06 pm (utc) on May 20, 2003]
Thanks, the visitor was asking for a lot of files that I do not have like for orders, shopping carts, stores and also other things like:
/cgi-bin/visadmin.exe?user=guest
/etc/passwd
/wwwboard/passwd.txt
/etc/security/passwd
/etc/security/passwd.adjunct
It must have asked for some kind of password file 20 to 30 times plus other sensative files.
dmorison,
When you say up to date on my platform with patches do you mean my website host or is there something I need?
This looks like a simple solution compared to the scripts recommended. But could there be any repercussions redirecting to the FBI?
When you say up to date on my platform with patches do you mean my website host or is there something I need?
Sorry - blindly assumed you were running your own server. Yes - these are things that your hosting provider needs to be on top off.
Any reputable hosting provider should be actively making sure that their platforms are securely configured and up to date with the latest patches.
There is nothing you need to do - however I would copy the log to the support contact at your hosting provider just as a heads-up.
