The FreeBSD Diary

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.

I was probed! The security worked. 2 February 1999

Need more help on this topic? Click here
This article has no comments
Show me similar articles

Tonight I checked my security logs and found some interesting items. I'm going to show you what they were in the hopes that you can recognize them should you seem them in your logs.

I also recommend http://www.psionic.com/papers/attacks/ as a good place to start if you want to check the security of your site.

The logs

Feb  2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com
Feb  2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com

This is output from tcp_wrapper telling us that it refused connection to the cracker. This is good.

Feb  2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from 
                                   root@ns.cvvm.com [139.142.106.131]
Feb  2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from 
                                   root@ns.cvvm.com [139.142.106.131]

Again, tcp_wrapper again. And I'm not sure what this message means but it might be the cracker just wanted to see the sendmail banners. Sendmail prior to 8.9.2 does not disable mail relay by default.

"GET /cgi-bin/phf HTTP/1.0" 404 164
"GET /cgi-bin/Count.cgi HTTP/1.0" 404 170
"GET /cgi-bin/test-cgi HTTP/1.0" 404 169
"GET /cgi-bin/php.cgi HTTP/1.0" 404 168
"GET /cgi-bin/handler HTTP/1.0" 404 168
"GET /cgi-bin/webgais HTTP/1.0" 404 168
"GET /cgi-bin/websendmail HTTP/1.0" 404 172
"GET /cgi-bin/webdist.cgi HTTP/1.0" 404 172
"GET /cgi-bin/faxsurvey HTTP/1.0" 404 170
"GET /cgi-bin/htmlscript HTTP/1.0" 404 171
"GET /cgi-bin/pfdisplay.cgi HTTP/1.0" 404 174
"GET /cgi-bin/perl.exe HTTP/1.0" 404 169
"GET /cgi-bin/wwwboard.pl HTTP/1.0" 404 172
"GET /cgi-bin/ews/ews/architext_query.pl HTTP/1.0" 404 187
"GET /cgi-bin/jj HTTP/1.0" 404 163

This represents probes for cgi_bin scripts which contain known exploits. In short, they were looking for holes in the software. They didn't find any of those programs. httpd-error.log confirms this. If you don't need a script, delete it.

Do the right thing

Your site has been probed. What do you do? You find out what happened, fix it, and make sure it doesn't happen again. But that's not all. You should also inform the admins at the site from which the attack was launched. In the above case, it seems as if the cracker had root access to the cvvm.com name server. We admins have to stick together. It is only polite to inform them what happened. It may also be that they are unaware of the compromise. Any information can be useful.

I sent email containing the above details, including the time zone in which these times occurred, to root@cvvm.com. But it bounced. It seems their domain was down. So then I did a whois to find out who to send it to. I used the addressed I found below.

[root@ns:/var/log] # whois cvvm.com

Registrant:
Cowichan Valley Virtual Mall (CVVM-DOM)
   103 - 2700 Beverly St
   Duncan, BC V9L5C7
   CA

   Domain Name: CVVM.COM

   Administrative Contact:
      Goodliffe, M  (MG2727)  myke@ISLAND.NET
      1-250-748-0818
   Technical Contact, Zone Contact:
      Fraser, Tony  (TF1661)  frasert@ISLANDNET.COM
      1-250-245-2984
   Billing Contact:
      Goodliffe, M  (MG2727)  myke@ISLAND.NET
      1-250-748-0818

   Record last updated on 11-Jun-98.
   Database last updated on 31-Jan-99 07:05:37 EST.

   Domain servers in listed order:

   NS.CVVM.COM                  139.142.106.131
   NS.BAREMETAL.COM             209.133.48.1

Feedback

Please, if you have any comments regarding this, or any other article, add your comments.

Need more help on this topic? Click here
This article has no comments
Show me similar articles