[plug] Beware hackers

Matt Kemner zombie at networx.net.au
Mon Jul 6 12:22:02 WST 1998 

On Sun, 5 Jul 1998, John Summerfield wrote:

> This has just come to my attention:
> access_log.1:aurora.bridges.edu - - [30/Jun/1998:10:33:06 +0800] "GET
> /cgi-bin/phf" 404 -
> access_log.1:aurora.bridges.edu - - [30/Jun/1998:10:33:07 +0800] "GET
> /cgi-bin/test-cgi" 404 -
> access_log.1:aurora.bridges.edu - - [30/Jun/1998:10:33:09 +0800] "GET
> /cgi-bin/handler" 404 -

Yeah I've had a large number of accesses myself recently.

> I gather that there was an exploit involving phf in earlier apaches.

Yes there was, one allowing people to run any command they want on your
webserver with the privilidges of the user the webserver runs under.

> I'm about to create a script to run in place of these to prepare me a
> report I can use to complain to some responsible person at the offending
> domain.

Don't reinvent the wheel.. :) use this script (which I've had running on
my webservers since the original phf bug was reported)

(Just don't forget to change the email address to your own - I don't
really want your emails :)

---------------8<---CUT HERE---8<----------------
#!/usr/bin/perl
open MAILSOCKET, "|/bin/mail postmaster\@networx.net.au -s phf";
print "Content-type: text/html\n\n";
print MAILSOCKET "ident:          $ENV{'REMOTE_IDENT'}\n";
print MAILSOCKET "ip address:     $ENV{'REMOTE_ADDR'}\n";
print MAILSOCKET "hostname:       $ENV{'REMOTE_HOST'}\n";
print MAILSOCKET "query string:   $ENV{'QUERY_STRING'}\n";
print MAILSOCKET "script name:    $ENV{'SCRIPT_NAME'}\n";
close MAILSOCKET;
print "<PRE>\n";
print "The PHF feature has been disabled on this server.\n";
print "We have noted down your IP address and hostname and will be\n";
print "taking them to the proper authorities.\n";
print "</PRE>\n";
---------------8<---CUT HERE---8<----------------

If "QUERY STRING" contains something along the lines of:
"Qalias=x%0a/bin/cat%20/etc/passwd"
you are well within your rights to send an email to postmaster at the source
domain asking them to lart(1) the perpetrator even if it was only
attempted once.

 - Matt Kemner
System Administrator/BOFH        "Words are too feeble,
Networx Internet                  they cannot contain"
(08) 9 345 3377                   Live, "Stage"

More information about the plug mailing list