[5106] in WWW Security List Archive
Re: What's this ?
daemon@ATHENA.MIT.EDU (Steff Watkins)
Wed Apr 16 13:27:44 1997
Date: Wed, 16 Apr 1997 16:28:32 +0100 (BST)
From: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
To: www-security@ns2.rutgers.edu
In-Reply-To: <199704161053.GAA09988@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
On Wed, 16 Apr 1997, Chung-Rui Kao wrote:
> Dear Sir:
>
> What does it mean ? if you find such messages in your access_log..
> ps. my httpd is the NCSA version.
>
> ip014.dialup.ntu.edu.tw - - [30/Jan/1997:18:50:58 +0800] "GET /cgi-bin/phf
> ?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 644
> ogg081-025.resnet.wisc.edu - - [22/Feb/1997:01:21:32 +0800] "GET /cgi-bin/phf
> ?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 681
> 192.192.98.116 - - [27/Mar/1997:19:17:43 +0800] "GET /cgi-bin/phf
> ?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 759
Hello,
it means that users on the hosts ip014.dialup.ntu.edu.tw,
ogg081-025.resnet.wisc.edu and 192.192.98.116 did, at the times
mentioned, TRY to get copies of your '/etc/passwd' file.
> Besides, I hope to know how can I prove whether there is someone who
> tried to hack or had hacked my WWWW server??
This is proof enough that someone was trying to get your password file.
> There's no any control code in my access_log file, but I doubt someone
> hacked my server through the httpd daemon, and I hope someone can help me
> to prove that.
If you do NOT have the 'phf' executable in your 'cgi-bin' directory, then
you're safe. If you do, then panic.
Now, looking at your logfile, it has a '200' completion code at the end
of each line. I have transaction code '200' listed as 'Document follows'
so it looks like someone HAS got a copy of your '/etc/passwd' file!!!
*Try not to sweat too hard!*
Now, this is risky as they now have a copy of your ENCRYPTED passwords
and the corresponding usernames.
Check for accesses from these sites to your system in your 'syslog' or
'messages' file, and also use the 'last' command.
If you haven't been hit yet, then it probably means that the people who
got your password files either A> haven't got Crack, B> you have 'shadow
passwords' and so the password file doesn't actually hold the passwords
themselves or C> where after your password file for 'sport' (Yeah! Right!)
I would suggest that you DELETE/REMOVE/chmod -x the 'phf' file NOW, and
then suggest/enforce that everyone on your system (root included) change
their password immediately. As the password files ripped were between
644 and 759 bytes long, that suggests that you have maximum of 20 users
on that system so it should not be too major a task to complete.
Now I know I'm going to sound like a cracked record, but........ PLEASE,
PLEASE, PLEASE do NOT use the DISTRIBUTED NCSA cgi-bin software as parts
of your service unless you REALLY know what they do! NCSA themselves say
that the distributed cgi-bin software is 'for example use' only (see
http://ncsa.hoohoo.uiuc.edu/docs/setup/ScriptAlias.html if you don't
believe me.. see? I told you!!!)
Do yourself a favour.. and close that door now!!!
Steff
: Steff Watkins, General Computer-type being
: University of Bristol, Clifton, Bristol, BS8 1TH, UK
:
: RFC-822 : Steff.Watkins@bris.ac.uk
: X-400 : /G=Steff/S=Watkins/O=Bristol/PRMD=UK.AC/ADMD= /C=GB/
: HTTP : http://sw.cse.bris.ac.uk/
: Phone: +44 177 9287869 (external) 3046 / 7869 (internal)