RE: A small quandary
From: Rob Shein (shoten@starpower.net)
Date: 12/06/02
- Previous message: Jerry Shenk: "RE: A small quandary"
- In reply to: Mahoney, Paul: "A small quandary"
- Next in thread: H C: "Re: A small quandary"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Rob Shein" <shoten@starpower.net> To: "'Mahoney, Paul'" <paul@fiberstarr.com>, <incidents@securityfocus.com> Date: Fri, 6 Dec 2002 10:57:06 -0500
If what you're asking is if it could be some way that he might not be
aware of/responsible for this probe, the best and surest way to tell is
to do forensics on the originating machine. The ways in which this
attack could (theoretically) be taking place without his knowledge are
many, and if he would retaliate, your best defense is to have a solid
body of evidence that he was responsible instead of a worm, trojan
horse, backdoor or other user. It sounds like you'll need to commit
fully to the effort. Personally, I would definitely consult an attorney
who is familiar with cybercrime, and see about having the computer
seized without warning for forensic analysis if at all possible. Once
that is accomplished, any claims about having been trojaned or the
victim of a virus/worm can be proven or disproven with great reliability
and integrity.
-----Original Message-----
From: Mahoney, Paul [mailto:paul@fiberstarr.com]
Sent: Wednesday, December 04, 2002 11:30 PM
To: incidents@securityfocus.com
Subject: A small quandary
Hi all,
I have in my possession a log file that implicates a business
acquaintance, who to say the least, might have the attitude to mount an
offensive.
The log file contains many entries like:-
404
/cgi-bin/publisher/search.cgi?dir=jobs&template=;cat+/etc/passwd|&output
_number=10
/perl/ 1 -
/cgi-bin/test-cgi.bat?|ver 1 -
/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c: 1 -
/cgi-bin/mrtg.cgi?cfg=/../../../../../../../../../winnt/win.ini 1 -
/scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\\
My question to everyone out there is would anyone be able to tell me if
this kind of attack has the fingerprints of any known software/viruses
in the field or is it a deliberate attempt to gain access to my clients
site?
Your thoughts are welcomed
Paul Mahoney
Director
FiberStarr Systems
www.fiberstarr.com
------------------------------------------------------------------------
---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Next message: H C: "Re: A small quandary"
- Previous message: Jerry Shenk: "RE: A small quandary"
- In reply to: Mahoney, Paul: "A small quandary"
- Next in thread: H C: "Re: A small quandary"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
