[plug] Beware hackers

John Summerfield summer at os2.ami.com.au
Mon Jul 6 08:48:29 WST 1998 

On Sun, 5 Jul 1998, Leon Brooks wrote:

> John Summerfield wrote:
> > This has just come to my attention:
> > access_log.1:aurora.bridges.edu - - [30/Jun/1998:10:33:06 +0800] "GET
> > /cgi-bin/phf" 404 -
> > access_log.1:aurora.bridges.edu - - [30/Jun/1998:10:33:07 +0800] "GET
> > /cgi-bin/test-cgi" 404 -
> > access_log.1:aurora.bridges.edu - - [30/Jun/1998:10:33:09 +0800] "GET
> > /cgi-bin/handler" 404 -
> 
> > I gather that there was an exploit involving phf in earlier apaches.
> > test-cgi reveals some informaiton about the server software. hander I
> > don't know.
> 
> Probably from another web-server package or apache module. It certainly
> looks Apache-specific. Have you turned around and explored aurora yet?
> 
> > I interpret these accesses (the only accesses from this remote machine in
> > about three weeks) as an attempt to collate info about my machine
> > preparatory to an attempt to crack it.
> 
> > I'm about to create a script to run in place of these to prepare me a
> > report I can use to complain to some responsible person at the offending
> > domain.
> 
> Ummm, three HTTP requests don't normally represent a "complaint" per se,
> but you could _ask_ postmaster at aurora.bridges.edu or hostmaster@ or
> webmaster@ or root@ some similar administrative address about the
> access. If no joy, just chop "aurora." out of the address and try again.

I became aware of it when someone on another list reported similar
incidents. In the ensuing exchange of mail aurora.bridges.edu has been
implicated in the same activities at another site.

I think the coincidence of timing (the other "attack" by aurora was at
much the same time on a host in a "-1000" timezone) is somewhat
suggestive. As is the fact it's being done by various different hosts: it
suggests to me some collusion, much like us getting together to repel
hackers.

An important part of a hacking procedure is, I unerstand, knowing what
software the target's running. The information returned by these provides
that information.

It's pretty pointless trying NT exploits on an OS/2 box for example - they
simply do not work.

I did a whois lookup of bridges.net and mailed to the technical contact
with this result:
   ----- The following addresses had permanent fatal errors -----
<brook at BRIDGES.EDU>

   ----- Transcript of session follows -----
550 <brook at BRIDGES.EDU>... Host unknown (Name server: bridges.edu: no data
known)

The site's in California.

I plan on adding selected nslookups to my "test-cgi" script.




> 

Cheers
John Summerfield
http://os2.ami.com.au/os2/ for OS/2 support.
Configuration, networking, combined IBM ftpsites index.

More information about the plug mailing list