I was probed! The security worked.

I was probed! The security worked.

Tonight I checked my security logs and found some interesting items.  I’m going
to show you what they were in the hopes that you can recognize them should you seem them
in your logs.

I also recommend http://www.psionic.com/papers/attacks/
as a good place to start if you want to check the security of your site.

The logs

Feb  2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com
Feb  2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com

This is output from tcp_wrapper telling us that
it refused connection to the cracker.  This is good.

Feb  2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from 
                                   root@ns.cvvm.com [139.142.106.131]
Feb  2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from 
                                   root@ns.cvvm.com [139.142.106.131]

Again, tcp_wrapper again.  And I’m not sure what this message means but
it might be the cracker just wanted to see the sendmail banners.
  Sendmail prior to 8.9.2 does not disable mail relay by default.

"GET /cgi-bin/phf HTTP/1.0" 404 164
"GET /cgi-bin/Count.cgi HTTP/1.0" 404 170
"GET /cgi-bin/test-cgi HTTP/1.0" 404 169
"GET /cgi-bin/php.cgi HTTP/1.0" 404 168
"GET /cgi-bin/handler HTTP/1.0" 404 168
"GET /cgi-bin/webgais HTTP/1.0" 404 168
"GET /cgi-bin/websendmail HTTP/1.0" 404 172
"GET /cgi-bin/webdist.cgi HTTP/1.0" 404 172
"GET /cgi-bin/faxsurvey HTTP/1.0" 404 170
"GET /cgi-bin/htmlscript HTTP/1.0" 404 171
"GET /cgi-bin/pfdisplay.cgi HTTP/1.0" 404 174
"GET /cgi-bin/perl.exe HTTP/1.0" 404 169
"GET /cgi-bin/wwwboard.pl HTTP/1.0" 404 172
"GET /cgi-bin/ews/ews/architext_query.pl HTTP/1.0" 404 187
"GET /cgi-bin/jj HTTP/1.0" 404 163  

This represents probes for cgi_bin scripts which contain known exploits.
  In short, they were looking for holes in the software.  They didn’t find any
of those programs.  httpd-error.log confirms this.  If you don’t need
a script, delete it.

Do the right thing

Your site has been probed.  What do you do?  You find out what happened, fix
it, and make sure it doesn’t happen again.  But that’s not all.  You should also
inform the admins at the site from which the attack was launched.  In the above case,
it seems as if the cracker had root access to the cvvm.com name server.  
We admins have to stick together.  It is only polite to inform them what
happened.  It may also be that they are unaware of the compromise.  Any
information can be useful.

I sent email containing the above details, including the time
zone in which these times occurred, to root@cvvm.com.  But it bounced.  It seems
their domain was down.   So then I did a whois to find out who to send it
to.  I used the addressed I found below.

[root@ns:/var/log] # whois cvvm.com

Registrant:
Cowichan Valley Virtual Mall (CVVM-DOM)
   103 - 2700 Beverly St
   Duncan, BC V9L5C7
   CA

   Domain Name: CVVM.COM

   Administrative Contact:
      Goodliffe, M  (MG2727)  myke@ISLAND.NET
      1-250-748-0818
   Technical Contact, Zone Contact:
      Fraser, Tony  (TF1661)  frasert@ISLANDNET.COM
      1-250-245-2984
   Billing Contact:
      Goodliffe, M  (MG2727)  myke@ISLAND.NET
      1-250-748-0818

   Record last updated on 11-Jun-98.
   Database last updated on 31-Jan-99 07:05:37 EST.

   Domain servers in listed order:

   NS.CVVM.COM                  139.142.106.131
   NS.BAREMETAL.COM             209.133.48.1

Feedback

Please, if you have any comments regarding this, or any other article, add your comments.

Leave a Comment

Scroll to Top