I've been seeing a number of attacks of this sort recently
from various sites in the http logs. The time correlation
between the logs on various hosts suggests that the attacker
was scanning sequentially upward in IP addresses. Since all
tcp and udp packets to ports below 1024 except for http,
smtp, and ident are filtered out for most, including the
attacking, sites, I'm not seeing anything else in the logs.
126.96.36.199 - - [04/Jul/1998:07:19:27 -0500] "GET /cgi-bin/phf" 404 -
188.8.131.52 - - [04/Jul/1998:07:19:28 -0500] "GET /cgi-bin/test-cgi" 404 -
184.108.40.206 - - [04/Jul/1998:07:19:28 -0500] "GET /cgi-bin/handler" 404 -
Is this a signature of some known attackware? If so, what
other attacks accompany these http probes?