Re: strange cgi-bin entry

From: Nikolai Alexandrov (voyager123bg_at_gmail.com)
Date: 07/19/05

  • Next message: sh4k3sph3r3: "IPX over IPSec VPNs or SSL VPNs"
    Date: Tue, 19 Jul 2005 20:11:30 +0300
    To: mike@genxweb.net
    
    

    It was a symlink. My question was somewhat whether symlink in that
    direcory (with owner root), linked to itself, could be used for any kind
    of attack (remote)... I deleted it. There is nothing unusual around that
    symlink... (I tried the folowing: "ln -s a a", and it gave me simular
    link linked to itself, pretty dumb infact). I guess some broken script
    made it. My previous way of creating graphics of the external ip used to
    work with cgi's like that. I played a while with it, and might screwed
    up things... now it is gone. Sorry for the false alarm, and thank you
    all good people for your time and answers. Some of the posts led me into
    interesting sites... :). (e.g. http://www.portknocking.org/). Once again
    thank you all.

    ps: I wish there was a way more people could read all the stuff i got,
    it was very interesting, and the more i read this list, the more
    interesting it gets. Since i know disclosing private e-mails in a public
    lists is somewhat break of the netiquete, I humbly beg you to Cc your
    e-mails to security-basics list... I am sure other people wouldn't mind
    to read interesting stuff too :).

    mike@genxweb.net wrote:

    >I would of suggested copying that cgi file to a disk or something to
    >analyse it. You might of been able to view the file usign cat and seeing
    >what the script did.
    >
    >
    >
    >>Hello out there, i want to ask you about strange entry i noted in my
    >>/cgi-bin directory...
    >>ls -la
    >>lrwxrwxrwx 1 root root 10 2005-07-08 14:11 AAA.BBB.CCC.DDD.cgi ->
    >>AAA.BBB.CCC.DDD.cgi
    >>
    >>where AAA.BBB.CCC.DDD is a real ip address. I removed the link, and am
    >>pretty sure i didn't created it... It is the only entry in the
    >>/cgi-bin. My question is: Could this mean my box is compromised? And if
    >>so... what should i do next? (reinstall is not a good answer in my case)
    >>Thank you in advance.
    >>
    >>ps: I nmaped the questioned host (from outside), and no unnknown (open)
    >>ports were found. Also netstat -nta did not show anything unusual.
    >>Logcheck also seemed normal (but if the host is compromised i know i
    >>cannot trust the software I run on the same host).
    >>
    >>
    >>
    >
    >
    >
    >


  • Next message: sh4k3sph3r3: "IPX over IPSec VPNs or SSL VPNs"