[plug] Beware hackers
Matt Kemner
zombie at networx.net.au
Mon Jul 6 12:22:02 WST 1998
On Sun, 5 Jul 1998, John Summerfield wrote:
> This has just come to my attention:
> access_log.1:aurora.bridges.edu - - [30/Jun/1998:10:33:06 +0800] "GET
> /cgi-bin/phf" 404 -
> access_log.1:aurora.bridges.edu - - [30/Jun/1998:10:33:07 +0800] "GET
> /cgi-bin/test-cgi" 404 -
> access_log.1:aurora.bridges.edu - - [30/Jun/1998:10:33:09 +0800] "GET
> /cgi-bin/handler" 404 -
Yeah I've had a large number of accesses myself recently.
> I gather that there was an exploit involving phf in earlier apaches.
Yes there was, one allowing people to run any command they want on your
webserver with the privilidges of the user the webserver runs under.
> I'm about to create a script to run in place of these to prepare me a
> report I can use to complain to some responsible person at the offending
> domain.
Don't reinvent the wheel.. :) use this script (which I've had running on
my webservers since the original phf bug was reported)
(Just don't forget to change the email address to your own - I don't
really want your emails :)
---------------8<---CUT HERE---8<----------------
#!/usr/bin/perl
open MAILSOCKET, "|/bin/mail postmaster\@networx.net.au -s phf";
print "Content-type: text/html\n\n";
print MAILSOCKET "ident: $ENV{'REMOTE_IDENT'}\n";
print MAILSOCKET "ip address: $ENV{'REMOTE_ADDR'}\n";
print MAILSOCKET "hostname: $ENV{'REMOTE_HOST'}\n";
print MAILSOCKET "query string: $ENV{'QUERY_STRING'}\n";
print MAILSOCKET "script name: $ENV{'SCRIPT_NAME'}\n";
close MAILSOCKET;
print "<PRE>\n";
print "The PHF feature has been disabled on this server.\n";
print "We have noted down your IP address and hostname and will be\n";
print "taking them to the proper authorities.\n";
print "</PRE>\n";
---------------8<---CUT HERE---8<----------------
If "QUERY STRING" contains something along the lines of:
"Qalias=x%0a/bin/cat%20/etc/passwd"
you are well within your rights to send an email to postmaster at the source
domain asking them to lart(1) the perpetrator even if it was only
attempted once.
- Matt Kemner
System Administrator/BOFH "Words are too feeble,
Networx Internet they cannot contain"
(08) 9 345 3377 Live, "Stage"
More information about the plug
mailing list