[Dshield] RE: Any threats here?

Michael Johnson mike at holmesandturner.com
Tue Jun 25 14:17:33 GMT 2002


Most of these are nimda and code red worms, which are not dangerous for
Apache. I highlighted a few that may be a problem:

> /users
> /squirrel
Not sure about these two. do these URLs exist?


> /cobalt-images/welcome2.gif
This may be an attempt to find out if the machine is a cobalt raq or
cube. They have some special problems people sometimes exploit.

> /favicon.ico
most browsers these days look for 'favicon.ico' to include it in the URL
bar or bookmark. No threat.


> /request/failed/index_failed.htm
hmm. not sure what this is about. Maybe someone wants ot get the banner
your web server spits out for failed requests? Sometimes these banners
are telling...


> /~administration
don't know for sure about this either could be someone lookup for an
admin interface.


> /cgi-bin/formmail.cgi
This is a 'classic': There is a widely spread 'frommail' script people
use to email results from a form submission to a user. However, these
scripts have the problem that they also allow spamers to send mail to
arbitrary addresses.




-- 
---------------------------------------------------------------
jullrich at sans.org             Collaborative Intrusion Detection
                                    join http://www.dshield.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ATT00478.dat
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20020625/e6f72b27/ATT00478.bin


More information about the list mailing list