[plug] Beware hackers
summer at os2.ami.com.au
Mon Jul 6 12:34:26 WST 1998
On Mon, 6 Jul 1998, Matt Kemner wrote:
> On Sun, 5 Jul 1998, John Summerfield wrote:
> > This has just come to my attention:
> > access_log.1:aurora.bridges.edu - - [30/Jun/1998:10:33:06 +0800] "GET
> > /cgi-bin/phf" 404 -
> > access_log.1:aurora.bridges.edu - - [30/Jun/1998:10:33:07 +0800] "GET
> > /cgi-bin/test-cgi" 404 -
> > access_log.1:aurora.bridges.edu - - [30/Jun/1998:10:33:09 +0800] "GET
> > /cgi-bin/handler" 404 -
I know of a site o/s that's also been "approached" in this manner at about
the same time.
> Yeah I've had a large number of accesses myself recently.
> > I gather that there was an exploit involving phf in earlier apaches.
> Yes there was, one allowing people to run any command they want on your
> webserver with the privilidges of the user the webserver runs under.
> > I'm about to create a script to run in place of these to prepare me a
> > report I can use to complain to some responsible person at the offending
> > domain.
> Don't reinvent the wheel.. :) use this script (which I've had running on
> my webservers since the original phf bug was reported)
Already done it, and sprung a dialup customer of netcom.com<g>
It runs whois (and a nwer version nslookup too) to collect information
about the offending domain.
Mine's running as test-cgi - I'm about to make a couple of symlinks.
More information about the plug