Google Hiccup, CGI Email Script Scanning, New NIST Doc, SANSFIRE

Published: 2004-07-06
Last Updated: 2004-07-07 12:02:26 UTC
by Tom Liston (Version: 1)
0 comment(s)
Google "Hiccup"

We've gotten reports that Google was inoperable for a short period of time in the late hours of 06/06/2004 (GMT). We currently have no information on the cause of the outage.



CGI Email Script Scanning

From our mailbag comes a report by Michael Black at Essex Corporation who alertly noticed a distributed webserver scan for various email cgi-scripts:



213.200.xxx.xxx - - [03/Jul/2004:10:47:45 -0400] "POST /cgi-bin/asomail.cgi HTTP/1.0" 404 916

65.19.xxx.xxx - - [03/Jul/2004:10:47:53 -0400] "POST /cgi-bin/contact.cgi HTTP/1.0" 404 916

80.65.xxx.xxx - - [03/Jul/2004:10:47:55 -0400] "POST /cgi-bin/mailform.pl HTTP/1.0" 404 916

12.14.xxx.xxx - - [03/Jul/2004:10:48:01 -0400] "POST /cgi-bin/formmail.cgi HTTP/1.0" 404 916

149.201.xxx.xxx - - [03/Jul/2004:10:48:03 -0400] "POST /cgi-bin/FormMail.pl HTTP/1.1" 404 916

193.255.xxx.xxx - - [03/Jul/2004:10:48:06 -0400] "POST /cgi-bin/fmail.pl HTTP/1.0" 404 916

208.18.xxx.xxx - - [03/Jul/2004:10:48:06 -0400] "POST /cgi-bin/form.cgi HTTP/1.0" 404 916

67.94.xxx.xxx - - [03/Jul/2004:10:48:07 -0400] "POST /cgi-bin/contact.pl HTTP/1.0" 404 916

66.0.xxx.xxx - - [03/Jul/2004:10:48:09 -0400] "POST /cgi-bin/mail.cgi HTTP/1.1" 404 916

66.103.xxx.xxx - - [03/Jul/2004:10:48:23 -0400] "POST /cgi-bin/feedback.cgi HTTP/1.0" 404 916

209.137.xxx.xxx - - [03/Jul/2004:10:48:25 -0400] "POST /cgi-bin/cgiemail/contact.txt HTTP/1.0" 404 916

200.78.xxx.xxx - - [03/Jul/2004:10:48:27 -0400] "POST /cgi-bin/form.pl HTTP/1.0" 404 916

208.185.xxx.xxx - - [03/Jul/2004:10:48:32 -0400] "POST /cgi-bin/mailform.cgi HTTP/1.0" 404 916

168.9.xxx.xxx - - [03/Jul/2004:10:48:33 -0400] "POST /cgi-bin/feedback.pl HTTP/1.0" 404 916

62.23.xxx.xxx - - [03/Jul/2004:10:48:39 -0400] "POST /cgi-bin/mail.pl HTTP/1.0" 404 916

207.248.xxx.xxx - - [03/Jul/2004:10:49:00 -0400] "POST /cgi-bin/sender.pl HTTP/1.0" 404 916

207.32.xxx.xxx - - [03/Jul/2004:10:49:02 -0400] "POST /cgi-bin/mailer/mailer.cgi HTTP/1.1" 404 916

217.68.xxx.xxx - - [03/Jul/2004:10:49:03 -0400] "POST /cgi-bin/ezformml.cgi HTTP/1.1" 404 916

207.248.xxx.xxx - - [03/Jul/2004:10:49:04 -0400] "POST /cgi-bin/email.cgi HTTP/1.0" 404 916

168.10.xxx.xxx - - [03/Jul/2004:10:49:06 -0400] "POST /cgi-bin/formmail HTTP/1.0" 404 916

65.17.xxx.xxx - - [03/Jul/2004:10:49:06 -0400] "POST /cgi-bin/npl_mailer.cgi HTTP/1.1" 404 916

216.43.xxx.xxx - - [03/Jul/2004:10:49:11 -0400] "POST /cgi-bin/FormMail.cgi HTTP/1.0" 404 916

63.228.xxx.xxx - - [03/Jul/2004:10:49:12 -0400] "POST /cgi-bin/email.pl HTTP/1.0" 404 916

193.170.xxx.xxx - - [03/Jul/2004:10:49:23 -0400] "POST /cgi-bin/BFormMail.pl HTTP/1.0" 404 916

207.127.xxx.xxx - - [03/Jul/2004:10:49:30 -0400] "POST /cgi-bin/contactus.cgi HTTP/1.0" 404 916

64.25.xxx.xxx - - [03/Jul/2004:10:49:30 -0400] "POST /cgi-bin/mailer.cgi HTTP/1.1" 404 916

200.74.xxx.xxx - - [03/Jul/2004:10:49:31 -0400] "POST /cgi-bin/friends.cgi HTTP/1.0" 404 916

208.185.xxx.xxx - - [03/Jul/2004:10:49:32 -0400] "POST /cgi-bin/mailer.pl HTTP/1.0" 404 916

207.241.xxx.xxx - - [03/Jul/2004:10:49:32 -0400] "POST /cgi-bin/tellafriend.cgi HTTP/1.0" 404 916

66.103.xxx.xxx - - [03/Jul/2004:10:49:50 -0400] "POST /cgi-bin/mailto.cgi HTTP/1.0" 404 916

148.233.xxx.xxx - - [03/Jul/2004:10:49:56 -0400] "POST /cgi-bin/mailto.cgi HTTP/1.0" 404 916

137.204.xxx.xxx - - [03/Jul/2004:10:50:04 -0400] "POST /cgi-bin/af.cgi HTTP/1.1" 404 916

81.196.xxx.xxx - - [03/Jul/2004:10:50:05 -0400] "POST /cgi-bin/cgiemail/mailtemp.txt HTTP/1.1" 404 916

65.19.xxx.xxx - - [03/Jul/2004:10:50:10 -0400] "POST /cgi-bin/tell/tell.cgi HTTP/1.0" 404 916

213.134.xxx.xxx - - [03/Jul/2004:10:50:11 -0400] "POST /cgi-bin/mailto.pl HTTP/1.1" 404 916

209.2.xxx.xxx - - [03/Jul/2004:10:50:11 -0400] "POST /cgi-bin/referral.cgi HTTP/1.0" 404 916





There are several interesting things to note about this scan. It is obviously a distributed scan that, because of the tight timing involved, appears to be controlled by a one-to-many channel. An IRC controlled bot-net comes immediately to mind.

Scanning for these types of scripts seems to be a rather outdated practice, something that we haven't seen in some time. We found ourselves wondering about the value of finding such an installation vs. the effort expended in scanning for it.

If anyone else notices scanning of this sort, please pass the details along using our contact form: http://isc.sans.org/contact.php


(Note: Source IPs in the above list have been obfuscated. We are currently investigating the malware that may be installed on these machines.)



NIST Publishes Guide For Securing Windows XP

The NIST (National Institute of Standards and Technology) has published,
in draft format, a guide for securing and administering Windows XP. They are soliciting for comments on this draft guide:



http://csrc.nist.gov/itsec/guidance_WinXP.html



Typically, NIST publications are well written and thorough. It is publication SP800-68, "Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist - Special Publication 800-68 (Draft)"



SANSFIRE

If you're on site at SANSFIRE in Monterey, please remember to stop by the IPNet booth and tell all of the ISC Handlers gathered there just how much you appreciate the fact that while they're off in California whooping it up, several of us are "back here" holding down the fort. Tell them that long, involved story about your first computer or, perhaps, show them that pesky rash that just won't go away. Sing them a song, or, better yet, tell a knock-knock joke. Everybody loves knock-knock jokes.



--------------------------------------------------

Handler on Duty : Tom "Grumpy 'cause I'm not in Monterey" Liston

LaBrea Technologies - ( http://www.labreatechnologies.com )
Keywords:
0 comment(s)

Comments


Diary Archives