Re: strange cgi-bin entry
From: Nikolai Alexandrov (voyager123bg_at_gmail.com)
Date: Tue, 19 Jul 2005 20:11:30 +0300 To: firstname.lastname@example.org
It was a symlink. My question was somewhat whether symlink in that
direcory (with owner root), linked to itself, could be used for any kind
of attack (remote)... I deleted it. There is nothing unusual around that
symlink... (I tried the folowing: "ln -s a a", and it gave me simular
link linked to itself, pretty dumb infact). I guess some broken script
made it. My previous way of creating graphics of the external ip used to
work with cgi's like that. I played a while with it, and might screwed
up things... now it is gone. Sorry for the false alarm, and thank you
all good people for your time and answers. Some of the posts led me into
interesting sites... :). (e.g. http://www.portknocking.org/). Once again
thank you all.
ps: I wish there was a way more people could read all the stuff i got,
it was very interesting, and the more i read this list, the more
interesting it gets. Since i know disclosing private e-mails in a public
lists is somewhat break of the netiquete, I humbly beg you to Cc your
e-mails to security-basics list... I am sure other people wouldn't mind
to read interesting stuff too :).
>I would of suggested copying that cgi file to a disk or something to
>analyse it. You might of been able to view the file usign cat and seeing
>what the script did.
>>Hello out there, i want to ask you about strange entry i noted in my
>>lrwxrwxrwx 1 root root 10 2005-07-08 14:11 AAA.BBB.CCC.DDD.cgi ->
>>where AAA.BBB.CCC.DDD is a real ip address. I removed the link, and am
>>pretty sure i didn't created it... It is the only entry in the
>>/cgi-bin. My question is: Could this mean my box is compromised? And if
>>so... what should i do next? (reinstall is not a good answer in my case)
>>Thank you in advance.
>>ps: I nmaped the questioned host (from outside), and no unnknown (open)
>>ports were found. Also netstat -nta did not show anything unusual.
>>Logcheck also seemed normal (but if the host is compromised i know i
>>cannot trust the software I run on the same host).