[plug] Crackers!

John Summerfield summer at os2.ami.com.au
Sun Jul 12 11:03:43 WST 1998 

On Sun, 12 Jul 1998, John Summerfield wrote:

> On Sat, 11 Jul 1998, Terry Porter wrote:
> 
> > Hi all,
> > Can anyone shed any light on this log? I disconnected from my isp shortly
> > afterwards. Does it look like an exploit?
> > 
> > Jul  7 12:57:04 gronk tcplogd: port 13384 connection attempt from
> > root at graft.XCF.Berkeley.EDU
> > Jul  7 12:58:01 gronk tcplogd: port 13451 connection attempt from
> > unknown at graft.XCF.Berkeley.EDU
> > Jul  7 12:58:42 gronk tcplogd: port 13557 connection attempt from
> > unknown at graft.XCF.Berkeley.EDU
> 
> What's writing these messages? I've just scanned two systems and don't see
> any messages containing the string "tcplogd."

Now we've clarified that point...

I think it's a preliminary attempt at hacking your computer. I have
discovered two attempts at mine in the past week.

Of the attempts I've noticed, all have accessed three scripts:
pfh
test-cgi
handler

Information I have from http://www.rootshell.com/ -
test-cgi
Affected Program: test-cgi scripts found on various web servers.

Severity: Anyone can remotely inventory the files on a machine.

Author: mudge at l0pht.com

Synopsis:

On many web sites there exists a file called test-cgi (usually in
the cgi-bin directory or somewhere similar). There is a problem
with many of these test-cgi files. If your test-cgi file contains
the following line (verbatim) then you are probably vulnerable.

echo QUERY_STRING = $QUERY_STRING
   etc...

handler
/cgi-bin/handler is a small perl program that allows (in theory)
to read and download files under the system's root directory.
In fact it allows you to execute any command remotely
on the target machine.

Here's how it works:
"handler" reads PATH_INFO from the environment and then concatenates it
with a default "root directory" (let's say /var/www/htdocs). It then runs
a "validity check" on the result. But it only checks for ".." not for
other potential offensive special chars.
It then uses "open (INPUT, $doc)" where $doc is the result of the
concatenation.
If you're familiar with PERL you know that if a '|' character follows the
filename, perl will treat that filename as a command. It runs it and gives
you STDOUT.
The way to exploit this "feature" for cgi-bin/handler is:

telnet target.machine.com 80
GET /cgi-bin/handler/useless_shit;cat   /etc/passwd|?data=Download
HTTP/1.0


rootshell didn't have anything on pfh. However, their search of extenal
sites revealed:
pfh
 Bugtraq archives for 3rd quarter (Jul-Sep) 1996: PHF Attacks - Fun a (p1
of 4
 Recently I have seen quite an upswing in attacks against web servers,
with people trying exploit various CGI binaries, including Phf.  Phf has a
known vulnerability that is being widely exploited in how it handles
certain escaped arguments.

 To let me know of attacks on sites via this vulnerability, I installed
the following script on our web servers. I don't run phf on our systems,
so there is no problem of interrupting normal activity.  The script simply
looks like the original PHF program, however it mails the security person
whenever connections or probes are received.
....




Do not suppose that having a $40/month dialup account exempts you from
attention: I've heard of dialup accounts being used as mail relays and of
US IAPs who send their clients rude messages if they have relaying
enabled.

btw rootshell has a documented exploit for the 2.0.34 kernel - I suggest
all spend some time checking the site out.



Cheers
John Summerfield
http://os2.ami.com.au/os2/ for OS/2 support.
Configuration, networking, combined IBM ftpsites index.

More information about the plug mailing list