Google Hiccup, CGI Email Script Scanning, New NIST Doc, SANSFIRE
Google "Hiccup"
We've gotten reports that Google was inoperable for a short period of time in the late hours of 06/06/2004 (GMT). We currently have no information on the cause of the outage.
CGI Email Script Scanning
From our mailbag comes a report by Michael Black at Essex Corporation who alertly noticed a distributed webserver scan for various email cgi-scripts:
213.200.xxx.xxx - - [03/Jul/2004:10:47:45 -0400] "POST /cgi-bin/asomail.cgi HTTP/1.0" 404 916
65.19.xxx.xxx - - [03/Jul/2004:10:47:53 -0400] "POST /cgi-bin/contact.cgi HTTP/1.0" 404 916
80.65.xxx.xxx - - [03/Jul/2004:10:47:55 -0400] "POST /cgi-bin/mailform.pl HTTP/1.0" 404 916
12.14.xxx.xxx - - [03/Jul/2004:10:48:01 -0400] "POST /cgi-bin/formmail.cgi HTTP/1.0" 404 916
149.201.xxx.xxx - - [03/Jul/2004:10:48:03 -0400] "POST /cgi-bin/FormMail.pl HTTP/1.1" 404 916
193.255.xxx.xxx - - [03/Jul/2004:10:48:06 -0400] "POST /cgi-bin/fmail.pl HTTP/1.0" 404 916
208.18.xxx.xxx - - [03/Jul/2004:10:48:06 -0400] "POST /cgi-bin/form.cgi HTTP/1.0" 404 916
67.94.xxx.xxx - - [03/Jul/2004:10:48:07 -0400] "POST /cgi-bin/contact.pl HTTP/1.0" 404 916
66.0.xxx.xxx - - [03/Jul/2004:10:48:09 -0400] "POST /cgi-bin/mail.cgi HTTP/1.1" 404 916
66.103.xxx.xxx - - [03/Jul/2004:10:48:23 -0400] "POST /cgi-bin/feedback.cgi HTTP/1.0" 404 916
209.137.xxx.xxx - - [03/Jul/2004:10:48:25 -0400] "POST /cgi-bin/cgiemail/contact.txt HTTP/1.0" 404 916
200.78.xxx.xxx - - [03/Jul/2004:10:48:27 -0400] "POST /cgi-bin/form.pl HTTP/1.0" 404 916
208.185.xxx.xxx - - [03/Jul/2004:10:48:32 -0400] "POST /cgi-bin/mailform.cgi HTTP/1.0" 404 916
168.9.xxx.xxx - - [03/Jul/2004:10:48:33 -0400] "POST /cgi-bin/feedback.pl HTTP/1.0" 404 916
62.23.xxx.xxx - - [03/Jul/2004:10:48:39 -0400] "POST /cgi-bin/mail.pl HTTP/1.0" 404 916
207.248.xxx.xxx - - [03/Jul/2004:10:49:00 -0400] "POST /cgi-bin/sender.pl HTTP/1.0" 404 916
207.32.xxx.xxx - - [03/Jul/2004:10:49:02 -0400] "POST /cgi-bin/mailer/mailer.cgi HTTP/1.1" 404 916
217.68.xxx.xxx - - [03/Jul/2004:10:49:03 -0400] "POST /cgi-bin/ezformml.cgi HTTP/1.1" 404 916
207.248.xxx.xxx - - [03/Jul/2004:10:49:04 -0400] "POST /cgi-bin/email.cgi HTTP/1.0" 404 916
168.10.xxx.xxx - - [03/Jul/2004:10:49:06 -0400] "POST /cgi-bin/formmail HTTP/1.0" 404 916
65.17.xxx.xxx - - [03/Jul/2004:10:49:06 -0400] "POST /cgi-bin/npl_mailer.cgi HTTP/1.1" 404 916
216.43.xxx.xxx - - [03/Jul/2004:10:49:11 -0400] "POST /cgi-bin/FormMail.cgi HTTP/1.0" 404 916
63.228.xxx.xxx - - [03/Jul/2004:10:49:12 -0400] "POST /cgi-bin/email.pl HTTP/1.0" 404 916
193.170.xxx.xxx - - [03/Jul/2004:10:49:23 -0400] "POST /cgi-bin/BFormMail.pl HTTP/1.0" 404 916
207.127.xxx.xxx - - [03/Jul/2004:10:49:30 -0400] "POST /cgi-bin/contactus.cgi HTTP/1.0" 404 916
64.25.xxx.xxx - - [03/Jul/2004:10:49:30 -0400] "POST /cgi-bin/mailer.cgi HTTP/1.1" 404 916
200.74.xxx.xxx - - [03/Jul/2004:10:49:31 -0400] "POST /cgi-bin/friends.cgi HTTP/1.0" 404 916
208.185.xxx.xxx - - [03/Jul/2004:10:49:32 -0400] "POST /cgi-bin/mailer.pl HTTP/1.0" 404 916
207.241.xxx.xxx - - [03/Jul/2004:10:49:32 -0400] "POST /cgi-bin/tellafriend.cgi HTTP/1.0" 404 916
66.103.xxx.xxx - - [03/Jul/2004:10:49:50 -0400] "POST /cgi-bin/mailto.cgi HTTP/1.0" 404 916
148.233.xxx.xxx - - [03/Jul/2004:10:49:56 -0400] "POST /cgi-bin/mailto.cgi HTTP/1.0" 404 916
137.204.xxx.xxx - - [03/Jul/2004:10:50:04 -0400] "POST /cgi-bin/af.cgi HTTP/1.1" 404 916
81.196.xxx.xxx - - [03/Jul/2004:10:50:05 -0400] "POST /cgi-bin/cgiemail/mailtemp.txt HTTP/1.1" 404 916
65.19.xxx.xxx - - [03/Jul/2004:10:50:10 -0400] "POST /cgi-bin/tell/tell.cgi HTTP/1.0" 404 916
213.134.xxx.xxx - - [03/Jul/2004:10:50:11 -0400] "POST /cgi-bin/mailto.pl HTTP/1.1" 404 916
209.2.xxx.xxx - - [03/Jul/2004:10:50:11 -0400] "POST /cgi-bin/referral.cgi HTTP/1.0" 404 916
There are several interesting things to note about this scan. It is obviously a distributed scan that, because of the tight timing involved, appears to be controlled by a one-to-many channel. An IRC controlled bot-net comes immediately to mind.
Scanning for these types of scripts seems to be a rather outdated practice, something that we haven't seen in some time. We found ourselves wondering about the value of finding such an installation vs. the effort expended in scanning for it.
If anyone else notices scanning of this sort, please pass the details along using our contact form: http://isc.sans.org/contact.php
(Note: Source IPs in the above list have been obfuscated. We are currently investigating the malware that may be installed on these machines.)
NIST Publishes Guide For Securing Windows XP
The NIST (National Institute of Standards and Technology) has published,
in draft format, a guide for securing and administering Windows XP. They are soliciting for comments on this draft guide:
http://csrc.nist.gov/itsec/guidance_WinXP.html
Typically, NIST publications are well written and thorough. It is publication SP800-68, "Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist - Special Publication 800-68 (Draft)"
SANSFIRE
If you're on site at SANSFIRE in Monterey, please remember to stop by the IPNet booth and tell all of the ISC Handlers gathered there just how much you appreciate the fact that while they're off in California whooping it up, several of us are "back here" holding down the fort. Tell them that long, involved story about your first computer or, perhaps, show them that pesky rash that just won't go away. Sing them a song, or, better yet, tell a knock-knock joke. Everybody loves knock-knock jokes.
--------------------------------------------------
Handler on Duty : Tom "Grumpy 'cause I'm not in Monterey" Liston
LaBrea Technologies - ( http://www.labreatechnologies.com )
We've gotten reports that Google was inoperable for a short period of time in the late hours of 06/06/2004 (GMT). We currently have no information on the cause of the outage.
CGI Email Script Scanning
From our mailbag comes a report by Michael Black at Essex Corporation who alertly noticed a distributed webserver scan for various email cgi-scripts:
213.200.xxx.xxx - - [03/Jul/2004:10:47:45 -0400] "POST /cgi-bin/asomail.cgi HTTP/1.0" 404 916
65.19.xxx.xxx - - [03/Jul/2004:10:47:53 -0400] "POST /cgi-bin/contact.cgi HTTP/1.0" 404 916
80.65.xxx.xxx - - [03/Jul/2004:10:47:55 -0400] "POST /cgi-bin/mailform.pl HTTP/1.0" 404 916
12.14.xxx.xxx - - [03/Jul/2004:10:48:01 -0400] "POST /cgi-bin/formmail.cgi HTTP/1.0" 404 916
149.201.xxx.xxx - - [03/Jul/2004:10:48:03 -0400] "POST /cgi-bin/FormMail.pl HTTP/1.1" 404 916
193.255.xxx.xxx - - [03/Jul/2004:10:48:06 -0400] "POST /cgi-bin/fmail.pl HTTP/1.0" 404 916
208.18.xxx.xxx - - [03/Jul/2004:10:48:06 -0400] "POST /cgi-bin/form.cgi HTTP/1.0" 404 916
67.94.xxx.xxx - - [03/Jul/2004:10:48:07 -0400] "POST /cgi-bin/contact.pl HTTP/1.0" 404 916
66.0.xxx.xxx - - [03/Jul/2004:10:48:09 -0400] "POST /cgi-bin/mail.cgi HTTP/1.1" 404 916
66.103.xxx.xxx - - [03/Jul/2004:10:48:23 -0400] "POST /cgi-bin/feedback.cgi HTTP/1.0" 404 916
209.137.xxx.xxx - - [03/Jul/2004:10:48:25 -0400] "POST /cgi-bin/cgiemail/contact.txt HTTP/1.0" 404 916
200.78.xxx.xxx - - [03/Jul/2004:10:48:27 -0400] "POST /cgi-bin/form.pl HTTP/1.0" 404 916
208.185.xxx.xxx - - [03/Jul/2004:10:48:32 -0400] "POST /cgi-bin/mailform.cgi HTTP/1.0" 404 916
168.9.xxx.xxx - - [03/Jul/2004:10:48:33 -0400] "POST /cgi-bin/feedback.pl HTTP/1.0" 404 916
62.23.xxx.xxx - - [03/Jul/2004:10:48:39 -0400] "POST /cgi-bin/mail.pl HTTP/1.0" 404 916
207.248.xxx.xxx - - [03/Jul/2004:10:49:00 -0400] "POST /cgi-bin/sender.pl HTTP/1.0" 404 916
207.32.xxx.xxx - - [03/Jul/2004:10:49:02 -0400] "POST /cgi-bin/mailer/mailer.cgi HTTP/1.1" 404 916
217.68.xxx.xxx - - [03/Jul/2004:10:49:03 -0400] "POST /cgi-bin/ezformml.cgi HTTP/1.1" 404 916
207.248.xxx.xxx - - [03/Jul/2004:10:49:04 -0400] "POST /cgi-bin/email.cgi HTTP/1.0" 404 916
168.10.xxx.xxx - - [03/Jul/2004:10:49:06 -0400] "POST /cgi-bin/formmail HTTP/1.0" 404 916
65.17.xxx.xxx - - [03/Jul/2004:10:49:06 -0400] "POST /cgi-bin/npl_mailer.cgi HTTP/1.1" 404 916
216.43.xxx.xxx - - [03/Jul/2004:10:49:11 -0400] "POST /cgi-bin/FormMail.cgi HTTP/1.0" 404 916
63.228.xxx.xxx - - [03/Jul/2004:10:49:12 -0400] "POST /cgi-bin/email.pl HTTP/1.0" 404 916
193.170.xxx.xxx - - [03/Jul/2004:10:49:23 -0400] "POST /cgi-bin/BFormMail.pl HTTP/1.0" 404 916
207.127.xxx.xxx - - [03/Jul/2004:10:49:30 -0400] "POST /cgi-bin/contactus.cgi HTTP/1.0" 404 916
64.25.xxx.xxx - - [03/Jul/2004:10:49:30 -0400] "POST /cgi-bin/mailer.cgi HTTP/1.1" 404 916
200.74.xxx.xxx - - [03/Jul/2004:10:49:31 -0400] "POST /cgi-bin/friends.cgi HTTP/1.0" 404 916
208.185.xxx.xxx - - [03/Jul/2004:10:49:32 -0400] "POST /cgi-bin/mailer.pl HTTP/1.0" 404 916
207.241.xxx.xxx - - [03/Jul/2004:10:49:32 -0400] "POST /cgi-bin/tellafriend.cgi HTTP/1.0" 404 916
66.103.xxx.xxx - - [03/Jul/2004:10:49:50 -0400] "POST /cgi-bin/mailto.cgi HTTP/1.0" 404 916
148.233.xxx.xxx - - [03/Jul/2004:10:49:56 -0400] "POST /cgi-bin/mailto.cgi HTTP/1.0" 404 916
137.204.xxx.xxx - - [03/Jul/2004:10:50:04 -0400] "POST /cgi-bin/af.cgi HTTP/1.1" 404 916
81.196.xxx.xxx - - [03/Jul/2004:10:50:05 -0400] "POST /cgi-bin/cgiemail/mailtemp.txt HTTP/1.1" 404 916
65.19.xxx.xxx - - [03/Jul/2004:10:50:10 -0400] "POST /cgi-bin/tell/tell.cgi HTTP/1.0" 404 916
213.134.xxx.xxx - - [03/Jul/2004:10:50:11 -0400] "POST /cgi-bin/mailto.pl HTTP/1.1" 404 916
209.2.xxx.xxx - - [03/Jul/2004:10:50:11 -0400] "POST /cgi-bin/referral.cgi HTTP/1.0" 404 916
There are several interesting things to note about this scan. It is obviously a distributed scan that, because of the tight timing involved, appears to be controlled by a one-to-many channel. An IRC controlled bot-net comes immediately to mind.
Scanning for these types of scripts seems to be a rather outdated practice, something that we haven't seen in some time. We found ourselves wondering about the value of finding such an installation vs. the effort expended in scanning for it.
If anyone else notices scanning of this sort, please pass the details along using our contact form: http://isc.sans.org/contact.php
(Note: Source IPs in the above list have been obfuscated. We are currently investigating the malware that may be installed on these machines.)
NIST Publishes Guide For Securing Windows XP
The NIST (National Institute of Standards and Technology) has published,
in draft format, a guide for securing and administering Windows XP. They are soliciting for comments on this draft guide:
http://csrc.nist.gov/itsec/guidance_WinXP.html
Typically, NIST publications are well written and thorough. It is publication SP800-68, "Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist - Special Publication 800-68 (Draft)"
SANSFIRE
If you're on site at SANSFIRE in Monterey, please remember to stop by the IPNet booth and tell all of the ISC Handlers gathered there just how much you appreciate the fact that while they're off in California whooping it up, several of us are "back here" holding down the fort. Tell them that long, involved story about your first computer or, perhaps, show them that pesky rash that just won't go away. Sing them a song, or, better yet, tell a knock-knock joke. Everybody loves knock-knock jokes.
--------------------------------------------------
Handler on Duty : Tom "Grumpy 'cause I'm not in Monterey" Liston
LaBrea Technologies - ( http://www.labreatechnologies.com )
Keywords:
0 comment(s)
×
Diary Archives
Comments