* robin szemeti ([EMAIL PROTECTED]) wrote:
>
> if your scans and probes look like ...
>
> [4] PBServer/..%5c..%5c..%5cwinnt/system32/cmd.exe
<snip>
>
> etc etc etc ad nauseum
>
nope, the sequence of events went something like this
portscan on 145
20+ minutes later, portscan of 146
1hr+ minutes later, apache was showing attempts such as this ....
host217-35-113-70.in-addr.btopenworld.com - - [09/Jan/2002:14:36:32
+0000] "GET
/cgi-bin/webspirs.cgi?sp.nextform=../../../../../../etc/passwd
HTTP/1.0" 404 275 "-" "-"
host217-35-113-70.in-addr.btopenworld.com - - [09/Jan/2002:14:36:33
+0000] "HEAD /cgi-bin/DCShop/Orders/orders.txt HTTP/1.0" 404 0 "-" "-"
host217-35-113-70.in-addr.btopenworld.com - - [09/Jan/2002:14:36:33
+0000] "HEAD /cgi-bin/a1disp3.cgi?/../../../../../../etc/passwd
HTTP/1.0" 404 0 "-" "-"
host217-35-113-70.in-addr.btopenworld.com - - [09/Jan/2002:14:36:33
+0000] "HEAD /cgi-bin/a1stats/ HTTP/1.0" 404 0 "-" "-"
i googled for some of these and discovered its a CGI vunerability
rootkit
after this the person started looking at my homepage, which sort of
freaked me out and i pulled the webserver, disconnected ADSL and ran
some quick tests for rootkits
i contacted abuse@bt and got an autoreply, basically after half of it
that was about news/mail posts and spams, it got to the bit about
system cracking
they say 3 things,
1.) they will look into any matter reported to them and take
action against the account
2.) they will not actually enter into direct discussion with me,
about any of this
3.) they won't tell me if they do take any action against the
account
this sort of left me pretty much in the dark
the next day, i turned ADSL back on, and the webserver and about 11:30
that morning, sure enough the same ip was back and trying CGI
vunerabilities
what could i now do now, if someone at abuse@bt had given me a phone
number i could of called and told them it was happening, but nope i
basically had fuck all i could do
Greg
--
Greg McCarroll http://217.34.97.146/~gem/
