Dru has asked for the wisdom of the Perl Monks concerning the following question:

Hello Monks,

I was contacted by one of our webadmins, because there where a ton of log entries in their webserver logs which show: 
http://66.220.25.153/cgi-bin/nph-blizzard.cgi/0000000A/06131970/http/w
+ww.acme.com/template/search_results.cfm?searchterms=Corona+Networks
http://216.127.82.63/cgi-bin/nph-blizzard.cgi/0000000A/06131970/http/w
+ww.acme.com/template/search_results.cfm?searchterms=Factiva
http://198.69.224.170/cgi-bin/nph-blizzard.cgi/0000000A/06131970/http/
+www.acme.com/template/search_results.cfm?searchterms=Salomon+Smith+Ba
+rney
http://66.220.25.153/cgi-bin/nph-blizzard.cgi/0000000A/06131970/http/w
+ww.acme.com/template/search_results.cfm?searchterms=Business+Objects
http://208.234.7.90/cgi-bin/nph-blizz.cgi/0000000A/06131970/http/www.a
+cme.com/template/search_results.cfm?searchterms=NationsBank

[download]
I went to one of these sites and it's some type of CGI form. I try to enter a website address, but I get a stupid page that says "Say Hi to Chico." You are probably wondering why I'm posting this to PM. Well, I did a search on google (both groups and search engine) for CGI-based ppppp, ppppp, nph-blizzard, but didn't find anything. I figured somoeone here might have seen this before and could tell me what this CGI script does, so I can determine if it's malicius or not and block these ip's at our firewall. I appreciate any help.

Thanks,
Dru

Replies are listed 'Best First'.
Re: Possible Security Incident with a CGI form - Need Help
by tall_man (Parson) on Jan 23, 2003 at 17:41 UTC
    That "0000000A" looks suspicious to me, because that is a newline in hex. I think it's a cross-site scripting attack. There is a reference to information about such attacks on this page. It includes a download reference for a report called "The Ten Most Critical Web Application Security Vulnerabilities."
[reply]
Re: Possible Security Incident with a CGI form - Need Help
by IlyaM (Parson) on Jan 23, 2003 at 17:31 UTC
[reply]
Re: Possible Security Incident with a CGI form - Need Help
by BazB (Priest) on Jan 23, 2003 at 17:43 UTC

    I have heard of a large number of requests being made to servers.
    If you go to the site mentioned in the logs, you'll just get an advert.

    Log spam, essentially.

    If the information in this post is inaccurate, or just plain wrong, don't just downvote - please post explaining what's wrong.
    That way everyone learns.
[reply]
      tall_man,

      I believe you are right, but I believe they where trying this attack against Cold Fusion since that webserver is running Cold Fusion and not PHP. I believe those sites that where in the logs are some form of anonymoizer (sp?), for them to cover their tracks.

      Thanks again
[reply]
Re: Possible Security Incident with a CGI form - Need Help
by IlyaM (Parson) on Feb 03, 2003 at 22:59 UTC
    Dru,

    Probably you have resolved this problem on your own already but ... While googling I've noticed in search results one of URLs looking surprisingly similar to URLs you have posted. It was itb.addr.com/cgi-bin/nph-proxy.cgi/111110A/http/www.game-exe.ru/ . I did quick search for nph-proxy which lead me to this website: http://www.jmarshall.com/tools/cgiproxy/.

    I guess somebody installed this CGI proxy on your server and is using it for anonymous surfing.

    --
    Ilya Martynov, ilya@iponweb.net
    CTO IPonWEB (UK) Ltd
    Quality Perl Programming and Unix Support UK managed @ offshore prices - http://www.iponweb.net
    Personal website - http://martynov.org

[reply]

Back to Seekers of Perl Wisdom