Security Incidents mailing list archives
suspicious http log
From: Emre Yildirim <emre () sgi asper org>
Date: Sun, 21 Oct 2001 17:35:44 -0500
host213-1-146-56.btinternet.com - - [21/Oct/2001:14:28:48 -0500] "GET /cgi-bin/rwwwshell.pl HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:28:51 -0500] "GET /cgi-bin/Count.cgi HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:28:56 -0500] "GET /cgi-bin/test-cgi HTTP/1.0" 200 447 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:28:57 -0500] "GET /cgi-bin/nph-test-cgi HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:29:07 -0500] "GET /cgi-bin/nph-publish HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:18 -0500] "GET /cgi-bin/unlg1.1 HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:19 -0500] "GET /cgi-bin/phf HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:22 -0500] "GET /cgi-bin/rwwwshell.pl HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:25 -0500] "GET /cgi-bin/Count.cgi HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:30 -0500] "GET /cgi-bin/test-cgi HTTP/1.0" 200 447 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:37 -0500] "GET /cgi-bin/nph-test-cgi HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:38 -0500] "GET /cgi-bin/php.cgi HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:39 -0500] "GET /cgi-bin/nph-publish HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:39 -0500] "GET /cgi-bin/handler HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:41 -0500] "GET /cgi-bin/webgais HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:42 -0500] "GET /cgi-bin/websendmail HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:51 -0500] "GET /cgi-bin/faxsurvey HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:53 -0500] "GET /cgi-bin/htmlscript HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:38:55 -0500] "GET /cgi-bin/webdist.cgi HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:15 -0500] "GET /cgi-bin/pfdispaly.cgi HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:17 -0500] "GET /cgi-bin/perl.exe HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:22 -0500] "GET /cgi-bin/view-source HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:23 -0500] "GET /cgi-bin/campas HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:23 -0500] "GET /cgi-bin/wwwboard.pl HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:25 -0500] "GET /cgi-bin/www-sql HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:38 -0500] "GET /cgi-bin/aglimpse HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:45 -0500] "GET /cgi-bin/man.sh HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:49 -0500] "GET /cgi-bin/glimpse HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:50 -0500] "GET /cgi-bin/AT-admin.cgi HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:53 -0500] "GET /cgi-bin/maillist.pl HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:54 -0500] "GET /cgi-bin/jj HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:56 -0500] "GET /cgi-bin/info2www HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:56 -0500] "GET /cgi-bin/filemail.pl HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:39:57 -0500] "GET /cgi-bin/files.pl HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:00 -0500] "GET /cgi-bin/bnbform.cgi HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:02 -0500] "GET /cgi-bin/survey.cgi HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:04 -0500] "GET /cgi-bin/finger HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:08 -0500] "GET /cgi-bin/AnyForm2 HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:09 -0500] "GET /cgi-bin/classifieds.cgi HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:10 -0500] "GET /cgi-bin/textcounter.pl HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:16 -0500] "GET /cgi-bin/environ.cgi HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:17 -0500] "GET /cgi-bin/edit.pl HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:17 -0500] "GET /cgi-bin/wrap HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:19 -0500] "GET /cgi-bin/cgiwrap HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:20 -0500] "GET /cgi-bin/guestbook.cgi HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:21 -0500] "GET /cgi-bin/webbbs.cgi HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:23 -0500] "GET /cgi-bin/perlshop.cgi HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:24 -0500] "GET /cgi-bin/anyboard.cgi HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:28 -0500] "GET /cgi-bin/environ.cgi HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:34 -0500] "GET /cgi-bin/whois_raw.cgi HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:35 -0500] "GET /_vti_pvt/service.pwd HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:36 -0500] "GET /_vti_inf.html HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:37 -0500] "GET /_vti_pvt/users.pwd HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:38 -0500] "GET /_vti_pvt/authors.pwd HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:43 -0500] "GET /_vti_bin/shtml.exe HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:45 -0500] "GET /_vti_pvt/administrators.pwd HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:46 -0500] "GET /_vti_bin/shtml.dll HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:49 -0500] "GET /cgi-win/uploader.exe HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:49 -0500] "GET /cgi-dos/args.bat HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:50 -0500] "GET /cgi-bin/rguest.exe HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:55 -0500] "GET /scripts/tools/newdsn.exe HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:57 -0500] "GET /cgi-bin/wguest.exe HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:58 -0500] "GET /scripts/counter.exe HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:40:58 -0500] "GET /scripts/CGImail.exe HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:01 -0500] "GET /scripts/fpcount.exe HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:10 -0500] "GET /cfdocs/expelval/openfile.cfm HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:11 -0500] "GET /cfdocs/expelval/exprcalc.cfm HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:13 -0500] "GET /cfdocs/expelval/displayopenedfile.cfm HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:13 -0500] "GET /cgi-bin/visadmin.exe HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:18 -0500] "GET /iissamples/exair/howitworks/codebrws.asp HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:19 -0500] "GET /cfdocs/expelval/sendmail.cfm HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:25 -0500] "GET /iissamples/sdk/asp/docs/codebrws.asp HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:29 -0500] "GET /carbo.dll HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:29 -0500] "GET /msads/Samples/SELECTOR/showcode.asp HTTP/1.0" 302 279 "-" "-" host213-1-146-56.btinternet.com - - [21/Oct/2001:14:41:33 -0500] "GET /search97.vts HTTP/1.0" 302 279 "-" "-"
The above is obviously some sort of tool, or an infected host perhaps? This is all followed by the usual Code Red II stuff. Anyone know what it is? -- Emre Yildirim <emre () asper org> GPG KeyID 0xF9E4A1D1 (keyserver.pgp.com) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- suspicious http log Emre Yildirim (Oct 22)
- <Possible follow-ups>
- Re: suspicious http log bugtraq (Oct 22)