^{__________Reklama_____________________}

	Archiv
	1996 1997 1998 1999 2000

	Oblasti
	Bazar Consulting Copyright FAQ Lamers List LiterNet O NetMagu Peering v CR Postav si PC Pridej clanek REKLAMA Ruzne Services Tisk. zpravy Webhosting

	Mame radi
	Cesky CZIS Grafika HW server Hysteria Linux.cz Lupa Manis Mobil Nas ISP Netacik Neznalek Penguin.cz Peterka Pruvodce Redmeat Root.cz SIS Svet h-ware Technet AnglickyAntionline Geocrawler Hackernews Hackers-s. Hackersclub Linuxberg Linuxlinks Linuxstart l0pht Posli SMS Rootshell Sec. focus Two cows Lechtive Links 1 Links 2 Links 3 Links 4 Links 5 Playmates Zaciname s Linuxem Kde sehnat Mikroservis Myslik Skolicky U-ground

	Volna mista
	Brigady Byrokracie Consulting Programatori Spravci siti Zbytek Zpet na INDEX

by Zbynek Pospichal

Portscany a scriptscany jeste jednou

Tak, zda se, ze s onim vytecnikem z IP adresy 207.240.53.137 melo vcera zazitek vice lidi - a to nejen v teto zemi. Kdybych postnul dotaz do mezinarodnich for, asi bych ziskal vice reakci, ale i tak mi jich dnes prislo dost. Take jsem se porozhledl po svych ostatnich serverech, u nichz logy tak pravidelne nesleduji, a dosel jsem k tomu, ze podobnymi hratkami si krati cas vice lidi - a nekteri jsou dokonce natolik natvrdli, ze to zkouseji stale dokola. Kuprikladu:


207.253.79.121 - - [30/Mar/1999:22:59:22 +0200] "GET /cgi-bin/phf" 404 3566

207.253.79.121 - - [30/Mar/1999:22:59:27 +0200] "GET /cgi-bin/test-cgi" 404 3566

207.253.79.121 - - [30/Mar/1999:22:59:35 +0200] "GET /cgi-bin/phf" 404 3566

207.253.79.121 - - [30/Mar/1999:22:59:40 +0200] "GET /cgi-bin/test-cgi" 404 3566

207.253.79.121 - - [30/Mar/1999:22:59:44 +0200] "GET /cgi-bin/handler" 404 3566

207.253.79.121 - - [30/Mar/1999:23:28:41 +0200] "GET /cgi-bin/phf" 404 3566

207.253.79.121 - - [30/Mar/1999:23:28:46 +0200] "GET /cgi-bin/test-cgi" 404 3566

207.253.79.121 - - [30/Mar/1999:23:28:51 +0200] "GET /cgi-bin/handler" 404 3566

Tady mame dalsiho podobneho experta:


194.204.246.130 - - [11/Apr/1999:22:54:34 +0200] "GET /cgi-bin/phf HTTP/1.0" 404

3566

194.204.246.130 - - [11/Apr/1999:22:54:35 +0200] "GET /cgi-bin/Count.cgi HTTP/1.0

" 404 3566

194.204.246.130 - - [11/Apr/1999:22:54:36 +0200] "GET /cgi-bin/test-cgi HTTP/1.0"

 404 3566

194.204.246.130 - - [11/Apr/1999:22:54:37 +0200] "GET /cgi-bin/php.cgi HTTP/1.0"

404 3566

194.204.246.130 - - [11/Apr/1999:22:54:38 +0200] "GET /cgi-bin/handler HTTP/1.0"

404 3566

194.204.246.130 - - [11/Apr/1999:22:54:39 +0200] "GET /cgi-bin/webgais HTTP/1.0"

404 3566

194.204.246.130 - - [11/Apr/1999:22:54:40 +0200] "GET /cgi-bin/websendmail HTTP/1

.0" 404 3566

194.204.246.130 - - [11/Apr/1999:22:54:41 +0200] "GET /cgi-bin/webdist.cgi HTTP/1

.0" 404 3566

194.204.246.130 - - [11/Apr/1999:22:54:42 +0200] "GET /cgi-bin/faxsurvey HTTP/1.0

" 404 3566

194.204.246.130 - - [11/Apr/1999:22:54:43 +0200] "GET /cgi-bin/htmlscript HTTP/1.

0" 404 3566

194.204.246.130 - - [11/Apr/1999:22:54:44 +0200] "GET /cgi-bin/pfdisplay.cgi HTTP

/1.0" 404 3566

194.204.246.130 - - [11/Apr/1999:22:54:45 +0200] "GET /cgi-bin/perl.exe HTTP/1.0"

 404 3566

194.204.246.130 - - [11/Apr/1999:22:54:45 +0200] "GET /cgi-bin/wwwboard.pl HTTP/1

.0" 404 3566

194.204.246.130 - - [11/Apr/1999:22:54:47 +0200] "GET /cgi-bin/ews/ews/architext_

query.pl HTTP/1.0" 404 3566

194.204.246.130 - - [11/Apr/1999:22:54:51 +0200] "GET /cgi-bin/jj HTTP/1.0" 404 3

566

A jeste par dalsich:


209.186.200.8 - - [06/May/1999:03:33:41 +0200] "GET /cgi-bin/phf" 404 3566

209.186.200.8 - - [06/May/1999:03:33:42 +0200] "GET /cgi-bin/test-cgi" 404 3566

209.186.200.8 - - [06/May/1999:03:33:43 +0200] "GET /cgi-bin/handler" 404 3566

204.149.55.25 - - [11/May/1999:12:09:54 +0200] "GET /cgi-bin/phf?Qalias=x%0aid" 404 3566

204.149.55.25 - - [11/May/1999:12:09:55 +0200] "GET /cgi-bin/php.cgi?/etc/services" 404 3566

204.149.55.25 - - [11/May/1999:12:09:56 +0200] "GET /cgi-bin/webdist.cgi?distloc=;id" 404 3566

204.149.55.25 - - [11/May/1999:12:10:08 +0200] "GET /cgi-bin/aglimpse/80|cat</etc/services;echo HTTP/1.0" 404 3566

204.149.55.25 - - [11/May/1999:12:10:08 +0200] "GET /cgi-bin/campas?%0aid%0a" 404 3566

204.149.55.25 - - [11/May/1999:12:10:10 +0200] "GET /cgi-bin/mailto.pl" 404 3566

195.58.102.61 - - [17/May/1999:10:46:39 +0200] "GET /cgi-bin/phf" 404 3566

195.58.102.61 - - [17/May/1999:10:46:40 +0200] "GET /cgi-bin/test-cgi" 404 3566

195.58.102.61 - - [17/May/1999:10:46:41 +0200] "GET /cgi-bin/handler" 404 3566

62.20.205.128 - - [17/May/1999:11:54:38 +0200] "GET /cgi-bin/phf" 404 3566

62.20.205.128 - - [17/May/1999:11:54:40 +0200] "GET /cgi-bin/test-cgi" 404 3566

62.20.205.128 - - [17/May/1999:11:54:41 +0200] "GET /cgi-bin/handler" 404 3566

202.211.208.139 - - [25/May/1999:19:10:50 +0200] "GET /cgi-bin/phf" 404 3566

202.211.208.139 - - [25/May/1999:19:10:52 +0200] "GET /cgi-bin/test-cgi" 404 3566

202.211.208.139 - - [25/May/1999:19:10:53 +0200] "GET /cgi-bin/handler" 404 3566

209.77.128.223 - - [26/May/1999:17:40:15 +0200] "GET /cgi-bin/phf HTTP/1.0" 404 3566

209.77.128.223 - - [26/May/1999:17:40:17 +0200] "GET /cgi-bin/Count.cgi HTTP/1.0" 404 3566

209.77.128.223 - - [26/May/1999:17:40:19 +0200] "GET /cgi-bin/test-cgi HTTP/1.0"404 3566

209.77.128.223 - - [26/May/1999:17:40:21 +0200] "GET /cgi-bin/php.cgi HTTP/1.0" 404 3566

209.77.128.223 - - [26/May/1999:17:40:23 +0200] "GET /cgi-bin/handler HTTP/1.0" 404 3566

209.77.128.223 - - [26/May/1999:17:40:25 +0200] "GET /cgi-bin/webgais HTTP/1.0" 404 3566

209.77.128.223 - - [26/May/1999:17:40:27 +0200] "GET /cgi-bin/websendmail HTTP/1.0" 404 3566

209.77.128.223 - - [26/May/1999:17:40:30 +0200] "GET /cgi-bin/webdist.cgi HTTP/1.0" 404 3566

209.77.128.223 - - [26/May/1999:17:40:32 +0200] "GET /cgi-bin/faxsurvey HTTP/1.0" 404 3566

209.77.128.223 - - [26/May/1999:17:40:34 +0200] "GET /cgi-bin/htmlscript HTTP/1.0" 404 3566

209.77.128.223 - - [26/May/1999:17:40:36 +0200] "GET /cgi-bin/pfdisplay.cgi HTTP/1.0" 404 3566

209.77.128.223 - - [26/May/1999:17:40:38 +0200] "GET /cgi-bin/perl.exe HTTP/1.0" 404 3566

209.77.128.223 - - [26/May/1999:17:40:40 +0200] "GET /cgi-bin/wwwboard.pl HTTP/1.0" 404 3566

209.77.128.223 - - [26/May/1999:17:40:43 +0200] "GET /cgi-bin/ews/ews/architext_query.pl HTTP/1.0" 404 3566

209.77.128.223 - - [26/May/1999:17:40:46 +0200] "GET /cgi-bin/jj HTTP/1.0" 404 3566

212.216.104.3 - - [26/May/1999:22:52:18 +0200] "GET /cgi-bin/phf" 404 3566

212.216.104.3 - - [26/May/1999:22:52:22 +0200] "GET /cgi-bin/test-cgi" 404 3566

212.216.104.3 - - [26/May/1999:22:52:31 +0200] "GET /cgi-bin/handler" 404 3566

212.216.104.3 - - [26/May/1999:22:55:46 +0200] "GET /cgi-bin/phf" 404 3566

212.216.104.3 - - [26/May/1999:22:55:51 +0200] "GET /cgi-bin/test-cgi" 404 3566

212.216.104.3 - - [26/May/1999:22:55:56 +0200] "GET /cgi-bin/handler" 404 3566

202.211.208.139 - - [26/May/1999:23:29:08 +0200] "GET /cgi-bin/phf?Qalias=x%0aid" 404 3566

202.211.208.139 - - [26/May/1999:23:29:11 +0200] "GET /cgi-bin/php.cgi?/etc/services" 404 3566

202.211.208.139 - - [26/May/1999:23:29:13 +0200] "GET /cgi-bin/webdist.cgi?distloc=;id" 404 3566

202.211.208.139 - - [26/May/1999:23:29:25 +0200] "GET /cgi-bin/aglimpse/80|cat</etc/services;echo HTTP/1.0" 404 3566

202.211.208.139 - - [26/May/1999:23:29:26 +0200] "GET /cgi-bin/campas?%0aid%0a" 404 3566

202.211.208.139 - - [26/May/1999:23:29:28 +0200] "GET /cgi-bin/mailto.pl" 404 3566

209.81.8.251 - - [04/Jun/1999:14:55:03 +0200] "GET /cgi-bin/phf?Qalias=x%0aid" 404 3566

209.81.8.251 - - [04/Jun/1999:14:55:05 +0200] "GET /cgi-bin/php.cgi?/etc/services" 404 3566

209.81.8.251 - - [04/Jun/1999:14:55:06 +0200] "GET /cgi-bin/webdist.cgi?distloc=;id" 404 3566

209.81.8.251 - - [04/Jun/1999:14:55:17 +0200] "GET /cgi-bin/aglimpse/80|cat</etc/services;echo HTTP/1.0" 404 3566

209.81.8.251 - - [04/Jun/1999:14:55:21 +0200] "GET /cgi-bin/campas?%0aid%0a" 404 3566

209.81.8.251 - - [04/Jun/1999:14:55:22 +0200] "GET /cgi-bin/mailto.pl" 404 3566

207.240.53.134 - - [13/Jun/1999:21:41:38 +0200] "GET /cgi-bin/phf" 404 3566

207.240.53.134 - - [13/Jun/1999:21:41:39 +0200] "GET /cgi-bin/test-cgi" 404 3566

207.240.53.134 - - [13/Jun/1999:21:41:40 +0200] "GET /cgi-bin/handler" 404 3566

210.226.77.18 - - [15/Jun/1999:15:15:52 +0200] "GET /cgi-bin/phf" 404 3566

210.226.77.18 - - [15/Jun/1999:15:15:53 +0200] "GET /cgi-bin/test-cgi" 404 3566

210.226.77.18 - - [15/Jun/1999:15:15:55 +0200] "GET /cgi-bin/handler" 404 3566

210.226.77.18 - - [16/Jun/1999:13:31:40 +0200] "GET /cgi-bin/phf" 404 3566

210.226.77.18 - - [16/Jun/1999:13:31:42 +0200] "GET /cgi-bin/test-cgi" 404 3566

210.226.77.18 - - [16/Jun/1999:13:31:44 +0200] "GET /cgi-bin/handler" 404 3566

208.232.37.2 - - [17/Jun/1999:00:50:03 +0200] "GET /cgi-bin/phf" 404 3566

208.232.37.2 - - [17/Jun/1999:00:50:03 +0200] "GET /cgi-bin/test-cgi" 404 3566

208.232.37.2 - - [17/Jun/1999:00:50:04 +0200] "GET /cgi-bin/handler" 404 3566

A konecne samozrejme i nas popularni vcerejsi expert, ktery tento server take neopomenul navstivit:


207.240.53.137 - - [08/Jul/1999:20:34:19 +0200] "GET /cgi-bin/phf HTTP/1.0" 404 3

566

207.240.53.137 - - [08/Jul/1999:20:34:21 +0200] "GET /cgi-bin/Count.cgi HTTP/1.0"

 404 3566

207.240.53.137 - - [08/Jul/1999:20:34:22 +0200] "GET /cgi-bin/test-cgi HTTP/1.0"

404 3566

207.240.53.137 - - [08/Jul/1999:20:34:24 +0200] "GET /cgi-bin/php.cgi HTTP/1.0" 4

04 3566

207.240.53.137 - - [08/Jul/1999:20:34:26 +0200] "GET /cgi-bin/handler HTTP/1.0" 4

04 3566

207.240.53.137 - - [08/Jul/1999:20:34:28 +0200] "GET /cgi-bin/webgais HTTP/1.0" 4

04 3566

207.240.53.137 - - [08/Jul/1999:20:34:30 +0200] "GET /cgi-bin/websendmail HTTP/1.

0" 404 3566

207.240.53.137 - - [08/Jul/1999:20:34:38 +0200] "GET /cgi-bin/webdist.cgi HTTP/1.

0" 404 3566

207.240.53.137 - - [08/Jul/1999:20:34:47 +0200] "GET /cgi-bin/faxsurvey HTTP/1.0"

 404 3566

207.240.53.137 - - [08/Jul/1999:20:34:52 +0200] "GET /cgi-bin/htmlscript HTTP/1.0

" 404 3566

207.240.53.137 - - [08/Jul/1999:20:34:57 +0200] "GET /cgi-bin/pfdisplay.cgi HTTP/

1.0" 404 3566

207.240.53.137 - - [08/Jul/1999:20:35:01 +0200] "GET /cgi-bin/perl.exe HTTP/1.0"

404 3566

207.240.53.137 - - [08/Jul/1999:20:35:04 +0200] "GET /cgi-bin/wwwboard.pl HTTP/1.

0" 404 3566

207.240.53.137 - - [08/Jul/1999:20:35:09 +0200] "GET /cgi-bin/ews/ews/architext_q

uery.pl HTTP/1.0" 404 3566

207.240.53.137 - - [08/Jul/1999:20:35:14 +0200] "GET /cgi-bin/jj HTTP/1.0" 404 35

66

Povsimnete si nekolika veci. Predne zacina byt nejak prilis popularni muj soubor /etc/services. Ovsem tento soubor sirit nehodlam a mohu argumentovat i svymi autorskymi pravy ;-) - a muj system je v tom se mnou celkem zajedno. Dale stoji za povsimnuti IP adresa 210.226.77.18, ktera muj server scannovala ani ne v rozmezi 24 hodin. Co kdybych behem te doby script phf na svuj system nahodou pridal,ze ;-)

Dale se musim omluvit za mirnou nepresneost, ve svem predchozim clanku jsem uvedl, ze dotycneho script phf nezajimal - opak je pravdou, stejne tak je vsak i pravdou, ze na mem domacim stroji jej script phf nezajimal (nebo se dotaz na tento script ztratil kdesi v propadlisti dejin, coz je take celkem pravdepodobne).

Abych se vsak priznal, zaujala mne existence programu, ktery funguje zaroven jako tcp portscan a zaroven jako web script scanner. Pokrok asi nezastavime.

Ale venujme se dalsim aspektum techto utoku. Za povsimnuti stoji, ze 99% utoku je zamerovano podle IP adres a nikoli podle domenovych jmen. K tomuto usudku jsem dosel na zaklade toho, ze na virtualnich serverech jsem se s podobnymi typy utoku temer nesehnal. Pravda, ctyri vnorene cykly ve stylu for(a=0;a<=255;a++) jsou z hlediska jednoduchosti naprogramovani i z hlediska provoznich potreb podstatne mene narocne, nez prohledavat kompletni celosvetove DNS.

Ale jeste dalsi vec si zaslouzi komentar - uvedl jsem, ze dana adresa patrila spolecnosti Starnet Inc., nacez mi prisla odpoved, ze adresa patri spolecnosti Genuity, Inc., 4041 N. Central, Phoenix, Arizona 85016, USA. Ano, IP adresa patri teto spolecnosti, domenovy a reverzni zaznam zase je registrovan na spolecnost Starnet Inc. z Illinois - aby to nebylo zase tak jednoduche ;-). Nicmene ozval jsem se spolecnosti Starnet a odpovedel mi jejich mail robot (zcela zjevne jsou na ruzne exoty, venujici se vsak na jejich sitich prevazne spammingu, jiz zvykli):

We have received your recent email message regarding spam abuse, or network abuse. Your message will be reviewed and appropriate action will be taken.

If you have any issues about spam abuse or internet abuse, please send email to postmaster or abuse respectively.

We have certain guidelines and acceptable use practice policies in which all members are bound. Anytime a member fails to follow these provisions and guidelines, their account will be dealt with as defined in the policy guidelines.

Accounts that have been already been dealt with are posted on our Removed List which is updated real-time at http://www.popsite.net/kill.html.

The information that you have provided will be used to investigate the incident. Once the investigation is complete, the appropriate action will be taken.

We apologize for any inconvenience which may have been caused by this incident. We hope that we will be able to better serve your needs in the future.

Co na to rici? Snad jen tolik, ze jsem zvedav, co mi v budoucnu Starnet odpovi. Nezavisle na mne tez kdosi kontaktoval i spolecnost Genuity.

Abych rekl pravdu, nepovazuji nevyzadany portscan ani scriptscan za cinnost, ktera by mela byt trestna. Povazuji jej vsak za cinnost obtezujici a nemoralni. A je jen na rozhodnuti toho ktereho ISP, zda takovou cinnost bude ci nebude na sve siti trpet.

Na zaver chci podekovat vsem, kdo se mi ozvali... Jiz vime, ze utok z adresy 207.240.53.137 nebyl cilen na jedinou stanici, ale ze dotycny pravdepodobne scannoval cely Net (napadeny byly pocitace v blocich siti zacinajicich 193, 194, 195, 212 a pravdepodobne i v dalsich blocich, ale o tom zel bohu nemam dostupne informace).

Kdyz si projizdim sve logy, dochazim k zaveru, ze v prumeru je to tak 1 utok tydne. Na Pentragon, ktery se ohani 50000 utoky denne, tak stale jeste nemame ;-)

Ale abych se nevenoval jen jednomu bezvyznamnemu ubozakovi, nejmenovany clovek ze Slovenska mi poslal logy sveho stroje a ty svedci o tom, ze se vyskytuje spousta ruznych radobyhackeru, jejichz tupost snad ani nezna hranic:


localhost.sk - - [03/May/1999:20:15:42 +0200] "GET /cgi-bin/ash HTTP/1.0" 404 207

localhost.sk - - [03/May/1999:20:15:42 +0200] "GET /cgi-bin/bash HTTP/1.0" 404 207

localhost.sk - - [03/May/1999:20:15:43 +0200] "GET /cgi-bin/csh HTTP/1.0" 404 207

localhost.sk - - [03/May/1999:20:15:43 +0200] "GET /cgi-bin/ksh HTTP/1.0" 404 207

localhost.sk - - [03/May/1999:20:15:44 +0200] "GET /cgi-bin/sh HTTP/1.0" 404 207

localhost.sk - - [03/May/1999:20:15:44 +0200] "GET /cgi-bin/tcsh HTTP/1.0" 404 207

localhost.sk - - [03/May/1999:20:15:45 +0200] "GET /cgi-bin/zsh HTTP/1.0" 404 207

localhost.sk - - [03/May/1999:20:15:53 +0200] "GET //etc/passwd HTTP/1.0" 404 207

Toz, rikam si, ze nekteremu z onech pseudohackeru udelam radost - az na to bude cas, tak si napisi vlastni verzi phf scriptu a necham je, at si zkousi...

A na zaver snad uz jen seznam cgi scriptu, ktere jsou nejoblibenejsim tercem takovych pseudohackeru (procez si pro jistotu jeste jednou proverte sve servery, zda se na nich scripty tohoto jmena nevyskytuji nebo vyskytuji, lec v zabezpecene verzi):

phf se bezkonkurencne drzi na prvnim miste
Count.cgi
test-cgi je standardni soucast Apache, doporucuji alespon prejmenovat
handler
php.cgi
test-cgi
perl.exe
webgais
websendmail
webdist.cgi
faxsurvay
htmlscript
pfdisplay.cgi
wwwboard.pl
jj
aglimpse
mailto.cgi

Reakce na clanek:

3.brezna 2004, 21:59 Autor: Míra (z 212.27.209.9) [whois]
browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Zkus tohle: http://www.webhits.de/visualroute/ snad ti to pomůže.

^{__________Reklama_____________________}