[5104] in WWW Security List Archive
Re: What's this ?
daemon@ATHENA.MIT.EDU (Alan)
Wed Apr 16 13:25:27 1997
Date: Wed, 16 Apr 1997 08:28:12 -0700 (PDT)
From: Alan <alano@teleport.com>
To: Chung-Rui Kao <kaoc@hep3.phys.sinica.edu.tw>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <199704161239.IAA12076@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
On Wed, 16 Apr 1997, Chung-Rui Kao wrote:
>
> Dear Sir:
>
> What does it mean ? if you find such messages in your access_log..
> ps. my httpd is the NCSA version.
>
> ip014.dialup.ntu.edu.tw - - [30/Jan/1997:18:50:58 +0800] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 644
> ip010.dialup.ntu.edu.tw - - [01/Feb/1997:10:57:35 +0800] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 677
> ogg081-025.resnet.wisc.edu - - [22/Feb/1997:01:21:32 +0800] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 681
> 192.192.98.116 - - [27/Mar/1997:19:17:43 +0800] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 759
>
> Besides, I hope to know how can I prove whether there is someone who
> tried to hack or had hacked my WWWW server?? My old httpd was the NCSA
> HTTPd 1.3. As the document in the NCSA's offical site, it said there's
> control codes in the access then there's someone attend to hack your server.
> There's no any control code in my access_log file, but I doubt someone
> hacked my server through the httpd daemon, and I hope someone can help me
> to prove that.
Looks like someone is trying to hack your webserver. Check to see if you
have a program called "phf" in your cgi-bin directory. If you do, delete
it. (It is an interface to the ph command, which you probably do not
have.) They are trying to exploit a well known bug on your system. I
would have a talk with the admin at ntu.edu.tw and see if you can track
down the luser for further lessons about hacking. (As administered by
their admin and/or local law enforcement.)