The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.

Things look quiet here. But I've been doing a lot of blogging at because I prefer WordPress now. Not all my posts there are FreeBSD related. I am in the midst of migrating The FreeBSD Diary over to WordPress (and you can read about that here). Once the migration is completed, I'll move the FreeBSD posts into the new FreeBSD Diary website.

I was probed! The security worked. 2 February 1999
Need more help on this topic? Click here
This article has no comments
Show me similar articles
Tonight I checked my security logs and found some interesting items.  I'm going to show you what they were in the hopes that you can recognize them should you seem them in your logs.

I also recommend as a good place to start if you want to check the security of your site.

The logs
Feb  2 17:34:20 ns telnetd[29665]: refused connect from
Feb  2 17:34:20 ns telnetd[29667]: refused connect from

This is output from tcp_wrapper telling us that it refused connection to the cracker.  This is good.

Feb  2 17:34:25 ns sendmail[29666]: NOQUEUE: Null connection from 
Feb  2 17:34:51 ns sendmail[29668]: NOQUEUE: Null connection from 

Again, tcp_wrapper again.  And I'm not sure what this message means but it might be the cracker just wanted to see the sendmail banners.   Sendmail prior to 8.9.2 does not disable mail relay by default.

"GET /cgi-bin/phf HTTP/1.0" 404 164
"GET /cgi-bin/Count.cgi HTTP/1.0" 404 170
"GET /cgi-bin/test-cgi HTTP/1.0" 404 169
"GET /cgi-bin/php.cgi HTTP/1.0" 404 168
"GET /cgi-bin/handler HTTP/1.0" 404 168
"GET /cgi-bin/webgais HTTP/1.0" 404 168
"GET /cgi-bin/websendmail HTTP/1.0" 404 172
"GET /cgi-bin/webdist.cgi HTTP/1.0" 404 172
"GET /cgi-bin/faxsurvey HTTP/1.0" 404 170
"GET /cgi-bin/htmlscript HTTP/1.0" 404 171
"GET /cgi-bin/pfdisplay.cgi HTTP/1.0" 404 174
"GET /cgi-bin/perl.exe HTTP/1.0" 404 169
"GET /cgi-bin/ HTTP/1.0" 404 172
"GET /cgi-bin/ews/ews/ HTTP/1.0" 404 187
"GET /cgi-bin/jj HTTP/1.0" 404 163  

This represents probes for cgi_bin scripts which contain known exploits.   In short, they were looking for holes in the software.  They didn't find any of those programs.  httpd-error.log confirms this.  If you don't need a script, delete it.

Do the right thing
Your site has been probed.  What do you do?  You find out what happened, fix it, and make sure it doesn't happen again.  But that's not all.  You should also inform the admins at the site from which the attack was launched.  In the above case, it seems as if the cracker had root access to the name server.   We admins have to stick together.  It is only polite to inform them what happened.  It may also be that they are unaware of the compromise.  Any information can be useful.

I sent email containing the above details, including the time zone in which these times occurred, to  But it bounced.  It seems their domain was down.   So then I did a whois to find out who to send it to.  I used the addressed I found below.

[root@ns:/var/log] # whois

Cowichan Valley Virtual Mall (CVVM-DOM)
   103 - 2700 Beverly St
   Duncan, BC V9L5C7

   Domain Name: CVVM.COM

   Administrative Contact:
      Goodliffe, M  (MG2727)  myke@ISLAND.NET
   Technical Contact, Zone Contact:
      Fraser, Tony  (TF1661)  frasert@ISLANDNET.COM
   Billing Contact:
      Goodliffe, M  (MG2727)  myke@ISLAND.NET

   Record last updated on 11-Jun-98.
   Database last updated on 31-Jan-99 07:05:37 EST.

   Domain servers in listed order:

Please, if you have any comments regarding this, or any other article, add your comments.
Need more help on this topic? Click here
This article has no comments
Show me similar articles