* robin szemeti ([EMAIL PROTECTED]) wrote: > > if your scans and probes look like ... > > [4] PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe
<snip> > > etc etc etc ad nauseum > nope, the sequence of events went something like this portscan on 145 20+ minutes later, portscan of 146 1hr+ minutes later, apache was showing attempts such as this .... host217-35-113-70.in-addr.btopenworld.com - - [09/Jan/2002:14:36:32 +0000] "GET /cgi-bin/webspirs.cgi?sp.nextform=../../../../../../etc/passwd HTTP/1.0" 404 275 "-" "-" host217-35-113-70.in-addr.btopenworld.com - - [09/Jan/2002:14:36:33 +0000] "HEAD /cgi-bin/DCShop/Orders/orders.txt HTTP/1.0" 404 0 "-" "-" host217-35-113-70.in-addr.btopenworld.com - - [09/Jan/2002:14:36:33 +0000] "HEAD /cgi-bin/a1disp3.cgi?/../../../../../../etc/passwd HTTP/1.0" 404 0 "-" "-" host217-35-113-70.in-addr.btopenworld.com - - [09/Jan/2002:14:36:33 +0000] "HEAD /cgi-bin/a1stats/ HTTP/1.0" 404 0 "-" "-" i googled for some of these and discovered its a CGI vunerability rootkit after this the person started looking at my homepage, which sort of freaked me out and i pulled the webserver, disconnected ADSL and ran some quick tests for rootkits i contacted abuse@bt and got an autoreply, basically after half of it that was about news/mail posts and spams, it got to the bit about system cracking they say 3 things, 1.) they will look into any matter reported to them and take action against the account 2.) they will not actually enter into direct discussion with me, about any of this 3.) they won't tell me if they do take any action against the account this sort of left me pretty much in the dark the next day, i turned ADSL back on, and the webserver and about 11:30 that morning, sure enough the same ip was back and trying CGI vunerabilities what could i now do now, if someone at abuse@bt had given me a phone number i could of called and told them it was happening, but nope i basically had fuck all i could do Greg -- Greg McCarroll http://217.34.97.146/~gem/