Very Computer

I've been seeing a number of attacks of this sort recently
from various sites in the http logs.  The time correlation
between the logs on various hosts suggests that the attacker
was scanning sequentially upward in IP addresses.  Since all
tcp and udp packets to ports below 1024 except for http,
smtp, and ident are filtered out for most, including the
attacking, sites, I'm not seeing anything else in the logs.

209.61.73.47 - - [04/Jul/1998:07:19:27 -0500] "GET /cgi-bin/phf" 404 -
209.61.73.47 - - [04/Jul/1998:07:19:28 -0500] "GET /cgi-bin/test-cgi" 404 -
209.61.73.47 - - [04/Jul/1998:07:19:28 -0500] "GET /cgi-bin/handler" 404 -

Is this a signature of some known attackware?  If so, what
other attacks accompany these http probes?

--

|209.61.73.47 - - [04/Jul/1998:07:19:28 -0500] "GET /cgi-bin/handler" 404 -
|
|Is this a signature of some known attackware?  If so, what
|other attacks accompany these http probes?

In a web search engine, search for "cgi-bin/handler" and see what comes up.

--
------------------------------------------------------------------------

Unsolicited bulk or commercial email is not welcome.             netcom.com
No warranty of any kind is provided with this message.

--
Remove the NOSPAM from the reply address
Kevin Connolly, EI4ANB
ICBM: 51 40.2'N   08 29.7'W

Check any bugtraq archive for vito.

-Martin

--

 Siemens Nixdorf, CC IT Networks, Solution Team Internet/Intranet
Half male, half e-mail.

Quote:>Is this a signature of some known attackware?  If so, what
>other attacks accompany these http probes?

A little research on www.rootshell.com turns up something
called mscan, which also probes portmapper/statd/named and
X servers, for a range of addresses or all the addresses in
a domain.

In the last week or so, such attacks were logged from these
sites:

  cr543730-a.surrey1.bc.wave.home.com [24.113.45.75]
  210.152.89.1
  207-172-251-229.s38.as2.loc.erols.com [207.172.251.229]
  209.61.73.47
  dixie.introspect.net [199.72.239.200]

as well as reports of one from *.ix.netcom.com, so I
suspect these cookie-cutter attacks are carried out by
"h4x0r" wannabes.

--