Re: A small quandary

From: H C <keydet89(at)yahoo.com>
Date: Fri Dec 06 2002 - 08:49:11 EST

Paul,

None of the entries seems overly malicious...actually, a couple of them are hardly original. From the except you've provided, it looks as if a scan w/ any one of a number of scanners was conducted...one that isn't overly intelligent. So...other than the scan, I don't see anything particularly malicious.

If these are all "404"s, then I don't really see where the quandry is, nor do I see how an offensive would be mounted...

>

/cgi-bin/publisher/search.cgi?dir=jobs&template=;cat+/etc/passwd|&output
> _number=10

*VERY* old attempt to cat the etc/passwd file. This used to be searchable via AltaVista...use of shadowed password files obviated it.

> /perl/ 1 -

Attempt at Perl...  

> /cgi-bin/test-cgi.bat?|ver 1 -

Attempt at a CGI script.  

> /scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:
> 1 -
>

/cgi-bin/mrtg.cgi?cfg=/../../../../../../../../../winnt/win.ini
> 1 -
>

/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\\
>

Attempts at dir. transversal on IIS.

> My question to everyone out there is would anyone be

It's a scan, nothing more. It would help if you'd been a little more clear on the response codes...but the attempts are obviously against a wide range of systems...the etc/passwd attempt, for example, *used* to work on Linux/*nix systems. The last three entries are specific to IIS. Whoever ran the scan didn't even bother to use a scanner intelligent enough to do banner grabbing in order to narrow down the os/web server of the target.

Again, I don't see where the quandry lies, and I don't see any sort of "attack" in what you've posted.

---

Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sun Dec 8 22:33:50 2002