Koji probes
 

I've been seeing stuff like this in my web server logs:

A total of 3 sites probed the server
66.249.71.77
66.249.71.78
66.249.71.79

A total of 6 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):

/koji/fileinfo?rpmID=866&filename=/usr/kerberos/bin/kpasswd HTTP Response 200
/koji/fileinfo?rpmID=1356&filename=/usr/bin/ldappasswd HTTP Response 200
/koji/fileinfo?rpmID=1954&filename=/usr/bin/vncpasswd HTTP Response 200
/koji/fileinfo?rpmID=3570&filename=/usr/bin/vncpasswd HTTP Response 200
/koji/fileinfo?rpmID=3107&filename=/usr/bin/ldappasswd HTTP Response 200
/koji/fileinfo?rpmID=2686&filename=/usr/kerberos/bin/kpasswd HTTP Response 200


So, I guess it's nice to know that koji is important enough that people
are writing probes to try and ferret out information, but on the other
hand, people are writing probes for it to try and ferret out
information...

--
Doug Ledford <dledford@redhat.com>
GPG KeyID: CFBFF194
http://people.redhat.com/dledford

Infiniband specific RPMs available at
http://people.redhat.com/dledford/Infiniband

--
Fedora-buildsys-list mailing list
Fedora-buildsys-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-buildsys-list

Koji probes
 

On Mon, 20 Oct 2008, Doug Ledford wrote:

> So, I guess it's nice to know that koji is important enough that people
> are writing probes to try and ferret out information, but on the other
> hand, people are writing probes for it to try and ferret out
> information...

This looks more like automated probing for everything with the word passwd
in it...

Seen these for years at other systems, not much to worry about.

regards,
andreas

--
Fedora-buildsys-list mailing list
Fedora-buildsys-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-buildsys-list

Koji probes
 

Andreas Thienemann wrote:

On Mon, 20 Oct 2008, Doug Ledford wrote:


So, I guess it's nice to know that koji is important enough that people
are writing probes to try and ferret out information, but on the other
hand, people are writing probes for it to try and ferret out
information...


This looks more like automated probing for everything with the word passwd
in it...


Seen these for years at other systems, not much to worry about.


Copy that. I've seen the same on various webservers here....

-of

--
Fedora-buildsys-list mailing list
Fedora-buildsys-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-buildsys-list

Koji probes
 

Doug Ledford wrote:
A total of 3 sites probed the server
66.249.71.77

66.249.71.78
66.249.71.79


These reverse map to googlebot.com.


A total of 6 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):

/koji/fileinfo?rpmID=866&filename=/usr/kerberos/bin/kpasswd HTTP Response 200
/koji/fileinfo?rpmID=1356&filename=/usr/bin/ldappasswd HTTP Response 200
/koji/fileinfo?rpmID=1954&filename=/usr/bin/vncpasswd HTTP Response 200
/koji/fileinfo?rpmID=3570&filename=/usr/bin/vncpasswd HTTP Response 200
/koji/fileinfo?rpmID=3107&filename=/usr/bin/ldappasswd HTTP Response 200
/koji/fileinfo?rpmID=2686&filename=/usr/kerberos/bin/kpasswd HTTP Response 200


These links are all reachable via the web ui, any crawler might will hit
them. I suggest adding a robots.txt to keep crawlers out.



--
Fedora-buildsys-list mailing list
Fedora-buildsys-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-buildsys-list

Koji probes
 

On Mon, Oct 20, 2008 at 12:13:23 -0400,
Mike McLean <mikem@redhat.com> wrote:
>
> These links are all reachable via the web ui, any crawler might will hit
> them. I suggest adding a robots.txt to keep crawlers out.

Or meta tags directed at robots. Doing things that way has some advantages
over robots.txt.

--
Fedora-buildsys-list mailing list
Fedora-buildsys-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-buildsys-list