Re: strange cgi-bin entry

From: Nikolai Alexandrov (
Date: 07/19/05

  • Next message: sh4k3sph3r3: "IPX over IPSec VPNs or SSL VPNs"
    Date: Tue, 19 Jul 2005 20:11:30 +0300

    It was a symlink. My question was somewhat whether symlink in that
    direcory (with owner root), linked to itself, could be used for any kind
    of attack (remote)... I deleted it. There is nothing unusual around that
    symlink... (I tried the folowing: "ln -s a a", and it gave me simular
    link linked to itself, pretty dumb infact). I guess some broken script
    made it. My previous way of creating graphics of the external ip used to
    work with cgi's like that. I played a while with it, and might screwed
    up things... now it is gone. Sorry for the false alarm, and thank you
    all good people for your time and answers. Some of the posts led me into
    interesting sites... :). (e.g. Once again
    thank you all.

    ps: I wish there was a way more people could read all the stuff i got,
    it was very interesting, and the more i read this list, the more
    interesting it gets. Since i know disclosing private e-mails in a public
    lists is somewhat break of the netiquete, I humbly beg you to Cc your
    e-mails to security-basics list... I am sure other people wouldn't mind
    to read interesting stuff too :). wrote:

    >I would of suggested copying that cgi file to a disk or something to
    >analyse it. You might of been able to view the file usign cat and seeing
    >what the script did.
    >>Hello out there, i want to ask you about strange entry i noted in my
    >>/cgi-bin directory...
    >>ls -la
    >>lrwxrwxrwx 1 root root 10 2005-07-08 14:11 AAA.BBB.CCC.DDD.cgi ->
    >>where AAA.BBB.CCC.DDD is a real ip address. I removed the link, and am
    >>pretty sure i didn't created it... It is the only entry in the
    >>/cgi-bin. My question is: Could this mean my box is compromised? And if
    >>so... what should i do next? (reinstall is not a good answer in my case)
    >>Thank you in advance.
    >>ps: I nmaped the questioned host (from outside), and no unnknown (open)
    >>ports were found. Also netstat -nta did not show anything unusual.
    >>Logcheck also seemed normal (but if the host is compromised i know i
    >>cannot trust the software I run on the same host).

  • Next message: sh4k3sph3r3: "IPX over IPSec VPNs or SSL VPNs"

    Relevant Pages

    • changing forwarded agent socket path (openssh 5.4)
      ... when I forward a ssh agent to a remote host the corresponding socket ... path on the host looks looks like: ... about the new socket. ... To workaround that when I connect I create a symlink like ...
    • Re: Installing IMAP
      ... > go back and try to recompile fetchmail again. ... > The original suggestion to make the symlink came from this lists archives: ...
    • Re: /sys/block vs. /sys/class/block
      ... (please follow list etiquette, don't trim cc lists) ... On Mon, Dec 20 2004, Jan Engelhardt wrote: ... >>I think the symlink approach would be fine. ... send the line "unsubscribe linux-kernel" in ...
    • Re: freebsd-stable Digest, Vol 97, Issue 1 (re: perl, again)
      ... I will also note that this reeks of the "bike shedding" that I hear ... about so often on these lists. ... Quibbling about a symlink doesn't make ...