If you run a web server have you ever wondered what people are trying to do when you notice that your 404-log is jam-packed with requests for dodgy looking files? They’re looking for known exploitable scripts. Here are some that I’ve had requests for over the past week:
cgi-bin/FormMail.pl
jobs.cgi
events.cgi
media.cgi
newsdesk.cgi
deportes.cgi
newsupdate.cgi
news.cgi
biznews.cgi
app/webeditor/login.cgi
cgi-bin/awstats/awstats.pl
cgi-bin/awstats/awstats.pl
scgi-bin/awstats/awstats.pl
cgi/awstats/awstats.pl
scgi/awstats/awstats.pl
horde/README
horde3/README
horde2/README
horde-3.0.9/README
Horde/README
horde-3.0.5/README
horde-3.0.7/README
Who’s doing this and why?!
Who’s scanning? Script kiddies. In other words, poor excuses for people using other people’s work to try and hack servers so they can use your space, CPU and bandwidth without cost.
Why? Well chances are these “people” want to use your server to do illegal things. This could be just scanning other servers for similar exploits but it could also be things like sending spam, hosting copyright-infringing files or even working together with other servers to take down another server (DDoS).
The slightly idiotic thing is this isn’t a Linux server! Most people with Windows servers don’t faff around with Perl and CGI and it should be obvious to anybody with more than one brain cell that when a server writes this in its response header:
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
… it’s not a sodding Linux box!