06.28.04
Wipeout
Holy cats… One of our sites got a quick run down of vulnerability probes on Saturday. The script that’s doing this is looking for easy to hack entry points, usually scripts that are insecure. Here’s an edited run down of the traffic we saw:
[Jun 26 16:27] [141.158.065.245] script not found: /cgi-bin/formmail.pl
[Jun 26 16:27] [209.026.056.010] script not found: /cgi-bin/contact.cgi
[Jun 26 16:27] [148.244.150.052] script not found: /cgi-bin/mailform.pl
[Jun 26 16:27] [062.087.154.034] script not found: /cgi-bin/formmail.cgi
[Jun 26 16:27] [193.172.150.002] script not found: /cgi-bin/FormMail.pl
[Jun 26 16:27] [146.101.066.159] script not found: /www/www.{domain}.com/mail.cgi
[Jun 26 16:28] [066.015.111.202] script not found: /cgi-bin/fmail.pl
[Jun 26 16:28] [193.144.127.011] script not found: /cgi-bin/form.cgi
[Jun 26 16:28] [213.215.169.210] script not found: /cgi-bin/contact.pl
[Jun 26 16:28] [208.185.016.039] script not found: /cgi-bin/mail.cgi
[Jun 26 16:28] [213.156.052.229] script not found: /www/www.{domain}.com/formmail.pl
[Jun 26 16:28] [066.043.173.226] script not found: /cgi-bin/feedback.cgi
[Jun 26 16:28] [066.144.004.003] script not found: /www/www.{domain}.com/contact.cgi
[Jun 26 16:28] [065.016.119.034] File does not exist: /www/www.{domain}.com/form-bin/deliver
[Jun 26 16:28] [168.143.113.138] script not found: /cgi-bin/cgiemail
[Jun 26 16:28] [162.006.217.199] script not found: /cgi-bin/cgiemail
[Jun 26 16:28] [141.158.065.245] script not found: /cgi-bin/form.pl
[Jun 26 16:29] [209.184.108.162] script not found: /cgi-bin/mailform.cgi
[Jun 26 16:29] [205.141.207.226] script not found: /cgi-bin/feedback.pl
[Jun 26 16:29] [168.143.113.138] script not found: /cgi-bin/mail.pl
[Jun 26 16:29] [193.144.127.011] script not found: /cgi-bin/sender.pl
[Jun 26 16:29] [066.234.235.202] script not found: /cgi-bin/mailer
[Jun 26 16:29] [194.212.229.228] script not found: /cgi-bin/ezformml.cgi
In a three minute span we had hits from all of these IP addresses, which are zombie servers, I’m sure. I wish I had the time to track them down but maybe this will help someone on the LazyWeb.