netbsd-help: Strange logs in web-server...

Subject: Strange logs in web-server...
To: None <netbsd-help@netbsd.org>
From: Richard Rauch <rkr@olib.org>
List: netbsd-help
Date: 09/23/2004 19:43:17
This seems like the most informative group to ask about this.  The question is
kind of a mixture of security and curiosity.

I have seen people trying to run "formmail" (or similar) CGI scripts on my
web-server.  I normally just toss them into a blackhole list (IPF filter
list).  However, of late, I've noticed a new variation: I seem to get runs
in quick succession of IP attempts by widely varying IP numbers.  Here are
3 lines from today:

200.66.98.39 - - [23/Sep/2004:17:21:32 -0500] "POST /scripts/formmail.pl HTTP/1.0" 404 371 "http://www.olib.org/" "-" 200.66.98.39
ua-213-115-201-207.cust.bredbandsbolaget.se - - [23/Sep/2004:17:21:31 -0500] "POST /cgi-bin/enquiry.pl HTTP/1.1" 404 370 "http://www.olib.org/" "-" 213.115.201.207
dpvc-68-161-240-236.ny325.east.verizon.net - - [23/Sep/2004:17:21:33 -0500] "POST /cgi-bin/formmail/formmail.cgi HTTP/1.0" 404 381 "http://www.olib.org/" "-" 68.161.240.236


The format is basically Apache's "combined" format, with the IP number
submitted to reverse-DNS (my server is low-traffic and I'm serving
from a DSL setup).  I have found some people have operated systems
whose reverse-DNS is invalid, so I've modified the "combined" log to
include a trailing raw IP number.


Now I see 3, apparently related, attempts to run differently-named
CGI scripts on my server.  I never seem to get just a single attempt
in isolation, so I assume that these three lines (logged
over a 3-second span) are related.  The fact that they go after
differently-named scripts further suggests coordination.

The scattered IP numbers suggests that they are not in one place.
(Unless a relatively close router has been hacked and the IP numbers
are being spoofed...)


Have others been seeing this kind of thing in web server logs?
I rather doubt that I've been singled out for special attention.  (^&

(I have, in the past, seen a single IP number attempt to run a
number of CGI scripts---variations on a theme, such as "formmail.pl",
"formmail.cgi", etc.)

-- 
  "I probably don't know what I'm talking about."  http://www.olib.org/~rkr/