Re: A small quandary

From: H C (keydet89at_private)
Date: Fri Dec 06 2002 - 05:49:11 PST

Next message: Mike Katz: "Re: A small quandary"

Previous message: Rob Shein: "RE: A small quandary"
In reply to: Mahoney, Paul: "A small quandary"
Next in thread: Bojan Zdrnja: "RE: A small quandary"
Next in thread: Mike Katz: "Re: A small quandary"
Reply: Bojan Zdrnja: "RE: A small quandary"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Paul,

None of the entries seems overly malicious...actually,
a couple of them are hardly original.  From the except
you've provided, it looks as if a scan w/ any one of a
number of scanners was conducted...one that isn't
overly intelligent.  So...other than the scan, I don't
see anything particularly malicious.

If these are all "404"s, then I don't really see where
the quandry is, nor do I see how an offensive would be
mounted...

>
/cgi-bin/publisher/search.cgi?dir=jobs&template=;cat+/etc/passwd|&output
> _number=10


*VERY* old attempt to cat the etc/passwd file.  This
used to be searchable via AltaVista...use of shadowed
password files obviated it.

> /perl/ 1 -

Attempt at Perl...
 
> /cgi-bin/test-cgi.bat?|ver 1 -

Attempt at a CGI script.
 
> /scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:
> 1 - 
>
/cgi-bin/mrtg.cgi?cfg=/../../../../../../../../../winnt/win.ini
> 1 - 
>
/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\\
>  

Attempts at dir. transversal on IIS.


> My question to everyone out there is would anyone be
> able to tell me if
> this kind of attack has the fingerprints of any
> known software/viruses
> in the field or is it a deliberate attempt to gain
> access to my clients site?

It's a scan, nothing more.  It would help if you'd
been a little more clear on the response codes...but
the attempts are obviously against a wide range of
systems...the etc/passwd attempt, for example, *used*
to work on Linux/*nix systems.  The last three entries
are specific to IIS.  Whoever ran the scan didn't even
bother to use a scanner intelligent enough to do
banner grabbing in order to narrow down the os/web
server of the target. 

Again, I don't see where the quandry lies, and I don't
see any sort of "attack" in what you've posted.  



__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Mike Katz: "Re: A small quandary"
Previous message: Rob Shein: "RE: A small quandary"
In reply to: Mahoney, Paul: "A small quandary"
Next in thread: Bojan Zdrnja: "RE: A small quandary"
Next in thread: Mike Katz: "Re: A small quandary"
Reply: Bojan Zdrnja: "RE: A small quandary"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Dec 08 2002 - 19:30:12 PST