Feb 021999

I was probed! The security worked.

Tonight I checked my security logs and found some interesting items.  I’m going to show you what they were in the hopes that you can recognize them should you seem them in your logs.

I also recommend http://www.psionic.com/papers/attacks/ as a good place to start if you want to check the security of your site.

The logs

Feb  2 17:34:20 ns telnetd[29665]: refused connect from ns.cvvm.com
Feb  2 17:34:20 ns telnetd[29667]: refused connect from ns.cvvm.com

This is output from tcp_wrapper telling us that it refused connection to the cracker.  This is good.

Feb  2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from 
                                   root@ns.cvvm.com []
Feb  2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from 
                                   root@ns.cvvm.com []

Again, tcp_wrapper again.  And I’m not sure what this message means but it might be the cracker just wanted to see the sendmail banners.   Sendmail prior to 8.9.2 does not disable mail relay by default.

"GET /cgi-bin/phf HTTP/1.0" 404 164
"GET /cgi-bin/Count.cgi HTTP/1.0" 404 170
"GET /cgi-bin/test-cgi HTTP/1.0" 404 169
"GET /cgi-bin/php.cgi HTTP/1.0" 404 168
"GET /cgi-bin/handler HTTP/1.0" 404 168
"GET /cgi-bin/webgais HTTP/1.0" 404 168
"GET /cgi-bin/websendmail HTTP/1.0" 404 172
"GET /cgi-bin/webdist.cgi HTTP/1.0" 404 172
"GET /cgi-bin/faxsurvey HTTP/1.0" 404 170
"GET /cgi-bin/htmlscript HTTP/1.0" 404 171
"GET /cgi-bin/pfdisplay.cgi HTTP/1.0" 404 174
"GET /cgi-bin/perl.exe HTTP/1.0" 404 169
"GET /cgi-bin/wwwboard.pl HTTP/1.0" 404 172
"GET /cgi-bin/ews/ews/architext_query.pl HTTP/1.0" 404 187
"GET /cgi-bin/jj HTTP/1.0" 404 163  

This represents probes for cgi_bin scripts which contain known exploits.   In short, they were looking for holes in the software.  They didn’t find any of those programs.  httpd-error.log confirms this.  If you don’t need a script, delete it.

Do the right thing

Your site has been probed.  What do you do?  You find out what happened, fix it, and make sure it doesn’t happen again.  But that’s not all.  You should also inform the admins at the site from which the attack was launched.  In the above case, it seems as if the cracker had root access to the cvvm.com name server.   We admins have to stick together.  It is only polite to inform them what happened.  It may also be that they are unaware of the compromise.  Any information can be useful.

I sent email containing the above details, including the time zone in which these times occurred, to root@cvvm.com.  But it bounced.  It seems their domain was down.   So then I did a whois to find out who to send it to.  I used the addressed I found below.

[root@ns:/var/log] # whois cvvm.com

Cowichan Valley Virtual Mall (CVVM-DOM)
   103 - 2700 Beverly St
   Duncan, BC V9L5C7

   Domain Name: CVVM.COM

   Administrative Contact:
      Goodliffe, M  (MG2727)  myke@ISLAND.NET
   Technical Contact, Zone Contact:
      Fraser, Tony  (TF1661)  frasert@ISLANDNET.COM
   Billing Contact:
      Goodliffe, M  (MG2727)  myke@ISLAND.NET

   Record last updated on 11-Jun-98.
   Database last updated on 31-Jan-99 07:05:37 EST.

   Domain servers in listed order:



Please, if you have any comments regarding this, or any other article, add your comments.