suspicious http log

From: Emre Yildirim (emreat_private)
Date: Sun Oct 21 2001 - 15:35:44 PDT

  • Next message: bugtraq: "Re: suspicious http log"

    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:28:48 -0500] "GET 
    /cgi-bin/rwwwshell.pl HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:28:51 -0500] "GET 
    /cgi-bin/Count.cgi HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:28:56 -0500] "GET 
    /cgi-bin/test-cgi HTTP/1.0" 200 447 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:28:57 -0500] "GET 
    /cgi-bin/nph-test-cgi HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:29:07 -0500] "GET 
    /cgi-bin/nph-publish HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:18 -0500] "GET 
    /cgi-bin/unlg1.1 HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:19 -0500] "GET 
    /cgi-bin/phf HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:22 -0500] "GET 
    /cgi-bin/rwwwshell.pl HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:25 -0500] "GET 
    /cgi-bin/Count.cgi HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:30 -0500] "GET 
    /cgi-bin/test-cgi HTTP/1.0" 200 447 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:37 -0500] "GET 
    /cgi-bin/nph-test-cgi HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:38 -0500] "GET 
    /cgi-bin/php.cgi HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:39 -0500] "GET 
    /cgi-bin/nph-publish HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:39 -0500] "GET 
    /cgi-bin/handler HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:41 -0500] "GET 
    /cgi-bin/webgais HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:42 -0500] "GET 
    /cgi-bin/websendmail HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:51 -0500] "GET 
    /cgi-bin/faxsurvey HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:53 -0500] "GET 
    /cgi-bin/htmlscript HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:55 -0500] "GET 
    /cgi-bin/webdist.cgi HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:15 -0500] "GET 
    /cgi-bin/pfdispaly.cgi HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:17 -0500] "GET 
    /cgi-bin/perl.exe HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:22 -0500] "GET 
    /cgi-bin/view-source HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:23 -0500] "GET 
    /cgi-bin/campas HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:23 -0500] "GET 
    /cgi-bin/wwwboard.pl HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:25 -0500] "GET 
    /cgi-bin/www-sql HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:38 -0500] "GET 
    /cgi-bin/aglimpse HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:45 -0500] "GET 
    /cgi-bin/man.sh HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:49 -0500] "GET 
    /cgi-bin/glimpse HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:50 -0500] "GET 
    /cgi-bin/AT-admin.cgi HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:53 -0500] "GET 
    /cgi-bin/maillist.pl HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:54 -0500] "GET 
    /cgi-bin/jj HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:56 -0500] "GET 
    /cgi-bin/info2www HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:56 -0500] "GET 
    /cgi-bin/filemail.pl HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:57 -0500] "GET 
    /cgi-bin/files.pl HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:00 -0500] "GET 
    /cgi-bin/bnbform.cgi HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:02 -0500] "GET 
    /cgi-bin/survey.cgi HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:04 -0500] "GET 
    /cgi-bin/finger HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:08 -0500] "GET 
    /cgi-bin/AnyForm2 HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:09 -0500] "GET 
    /cgi-bin/classifieds.cgi HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:10 -0500] "GET 
    /cgi-bin/textcounter.pl HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:16 -0500] "GET 
    /cgi-bin/environ.cgi HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:17 -0500] "GET 
    /cgi-bin/edit.pl HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:17 -0500] "GET 
    /cgi-bin/wrap HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:19 -0500] "GET 
    /cgi-bin/cgiwrap HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:20 -0500] "GET 
    /cgi-bin/guestbook.cgi HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:21 -0500] "GET 
    /cgi-bin/webbbs.cgi HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:23 -0500] "GET 
    /cgi-bin/perlshop.cgi HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:24 -0500] "GET 
    /cgi-bin/anyboard.cgi HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:28 -0500] "GET 
    /cgi-bin/environ.cgi HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:34 -0500] "GET 
    /cgi-bin/whois_raw.cgi HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:35 -0500] "GET 
    /_vti_pvt/service.pwd HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:36 -0500] "GET 
    /_vti_inf.html HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:37 -0500] "GET 
    /_vti_pvt/users.pwd HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:38 -0500] "GET 
    /_vti_pvt/authors.pwd HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:43 -0500] "GET 
    /_vti_bin/shtml.exe HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:45 -0500] "GET 
    /_vti_pvt/administrators.pwd HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:46 -0500] "GET 
    /_vti_bin/shtml.dll HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:49 -0500] "GET 
    /cgi-win/uploader.exe HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:49 -0500] "GET 
    /cgi-dos/args.bat HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:50 -0500] "GET 
    /cgi-bin/rguest.exe HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:55 -0500] "GET 
    /scripts/tools/newdsn.exe HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:57 -0500] "GET 
    /cgi-bin/wguest.exe HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:58 -0500] "GET 
    /scripts/counter.exe HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:58 -0500] "GET 
    /scripts/CGImail.exe HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:01 -0500] "GET 
    /scripts/fpcount.exe HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:10 -0500] "GET 
    /cfdocs/expelval/openfile.cfm HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:11 -0500] "GET 
    /cfdocs/expelval/exprcalc.cfm HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:13 -0500] "GET 
    /cfdocs/expelval/displayopenedfile.cfm HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:13 -0500] "GET 
    /cgi-bin/visadmin.exe HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:18 -0500] "GET 
    /iissamples/exair/howitworks/codebrws.asp HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:19 -0500] "GET 
    /cfdocs/expelval/sendmail.cfm HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:25 -0500] "GET 
    /iissamples/sdk/asp/docs/codebrws.asp HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:29 -0500] "GET 
    /carbo.dll HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:29 -0500] "GET 
    /msads/Samples/SELECTOR/showcode.asp HTTP/1.0" 302 279 "-" "-"
    host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:33 -0500] "GET 
    /search97.vts HTTP/1.0" 302 279 "-" "-"
    
    
    The above is obviously some sort of tool, or an infected host perhaps? This is all followed
    by the usual Code Red II stuff.  Anyone know what it is?
    
    
    
    -- 
    Emre Yildirim <emreat_private>
    GPG KeyID 0xF9E4A1D1 (keyserver.pgp.com)
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 08:33:05 PDT