If you run a web server have you ever wondered what people are trying to do when you notice that your 404-log is jam-packed with requests for dodgy looking files? They’re looking for known exploitable scripts. Here are some that I’ve had requests for over the past week:
cgi-bin/FormMail.pl jobs.cgi events.cgi media.cgi newsdesk.cgi deportes.cgi newsupdate.cgi news.cgi biznews.cgi app/webeditor/login.cgi cgi-bin/awstats/awstats.pl cgi-bin/awstats/awstats.pl scgi-bin/awstats/awstats.pl cgi/awstats/awstats.pl scgi/awstats/awstats.pl horde/README horde3/README horde2/README horde-3.0.9/README Horde/README horde-3.0.5/README horde-3.0.7/README
Who’s doing this and why?!
Who’s scanning? Script kiddies. In other words, poor excuses for people using other people’s work to try and hack servers so they can use your space, CPU and bandwidth without cost.
Why? Well chances are these “people” want to use your server to do illegal things. This could be just scanning other servers for similar exploits but it could also be things like sending spam, hosting copyright-infringing files or even working together with other servers to take down another server (DDoS).
The slightly idiotic thing is this isn’t a Linux server! Most people with Windows servers don’t faff around with Perl and CGI and it should be obvious to anybody with more than one brain cell that when a server writes this in its response header:
Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727
… it’s not a sodding Linux box!