cgi-bin/view-source?cgi-bin/view-source

cgi-bin/view-source?cgi-bin/view-source

Post by Andre van Straate » Mon, 10 Apr 2000 04:00:00



This line is out of my Web server log file:

ultra.mpls.k12.mn.us - - [09/Apr/2000:01:44:55 -0500] "GET /cgi-bin/view-source?cgi-bin/view-source HTTP/1.0" 404 213

This line is the only one from this IP address in the log file.
Does anybody know what this is intended to do? I didn't find any hints on a program
view-source. Is it kind of phf or aglimpse?

Thanks,
Andre

Andre van Straaten
http://www.vanstraatensoft.com
______________________________________________

 
 
 

cgi-bin/view-source?cgi-bin/view-source

Post by Remove NO_SPAM to rep » Tue, 11 Apr 2000 04:00:00



Quote:> This line is out of my Web server log file:
> ultra.mpls.k12.mn.us - - [09/Apr/2000:01:44:55 -0500] "GET /cgi-bin/view-source?cgi-bin/view-source HTTP/1.0" 404 213
> This line is the only one from this IP address in the log file.
> Does anybody know what this is intended to do? I didn't find any hints on a program
> view-source. Is it kind of phf or aglimpse?

Your computer was being scanned for a vulnerability in the view-source
cgi script that would allow the attacker (a Mineapolis high school
student) to view your /etc/passwd file (or any other file).  Your web
server didn't have this cgi installed and returned a 404.  You don't
need to worry.

If you're curious about the attack, go to http://rootshell.com and do
a search on view_source.

Damian Menscher
--


--==## Physics Dept, 1110 W Green, Urbana IL 61801 Fax:(217)333-9819 ##==--

 
 
 

cgi-bin/view-source?cgi-bin/view-source

Post by jose » Tue, 11 Apr 2000 04:00:00



> ultra.mpls.k12.mn.us - - [09/Apr/2000:01:44:55 -0500] "GET /cgi-bin/view-source?cgi-bin/view-source HTTP/1.0" 404 213

i saw this, too, in cleveland.


 
 
 

1. /cgi-bin/phf /cgi-bin/test-cgi /cgi-bin/handler

I've been seeing a number of attacks of this sort recently
from various sites in the http logs.  The time correlation
between the logs on various hosts suggests that the attacker
was scanning sequentially upward in IP addresses.  Since all
tcp and udp packets to ports below 1024 except for http,
smtp, and ident are filtered out for most, including the
attacking, sites, I'm not seeing anything else in the logs.

209.61.73.47 - - [04/Jul/1998:07:19:27 -0500] "GET /cgi-bin/phf" 404 -
209.61.73.47 - - [04/Jul/1998:07:19:28 -0500] "GET /cgi-bin/test-cgi" 404 -
209.61.73.47 - - [04/Jul/1998:07:19:28 -0500] "GET /cgi-bin/handler" 404 -

Is this a signature of some known attackware?  If so, what
other attacks accompany these http probes?

--

2. NNTP Newsreading Question..

3. CGI-bin returns source not HTTP document?

4. gtk+ rpm for libc5 ?

5. cgi-bin (C bin) hangs under Linux

6. help with gimp

7. http://host/~user/cgi-bin/test.cgi <-- i see a txt file

8. How can I get my linux box to turn on another system?

9. how to read http://localhost/cgi-bin/test-cgi??

10. cgi-bin and cgi file security

11. cgi-bin access with .cgi file

12. Execute cgi outside of cgi-bin

13. .cgi-Files will only work in the cgi-bin ???