[5119] in WWW Security List Archive
Re: What's this ?
daemon@ATHENA.MIT.EDU (Michael Brennen)
Wed Apr 16 18:32:23 1997
Date: Wed, 16 Apr 1997 15:02:20 -0500 (CDT)
From: Michael Brennen <mbrennen@fni.com>
To: Chung-Rui Kao <kaoc@hep3.phys.sinica.edu.tw>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <199704161208.IAA11470@ns2.rutgers.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
It means someone successfully copied your password file through a very
well known hole in phf. Remove that program from your cgi-bin directory
immediately, and change all your passwords.
You also need to upgrade to the latest NCSA or Apache httpd immediately.
http://hoohoo.ncsa.uiuc.edu/
http://www.apache.org/
-- Michael
On Wed, 16 Apr 1997, Chung-Rui Kao wrote:
> What does it mean ? if you find such messages in your access_log..
> ps. my httpd is the NCSA version.
>
> ip014.dialup.ntu.edu.tw - - [30/Jan/1997:18:50:58 +0800] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 644
> ip010.dialup.ntu.edu.tw - - [01/Feb/1997:10:57:35 +0800] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 677
> ogg081-025.resnet.wisc.edu - - [22/Feb/1997:01:21:32 +0800] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 681
> 192.192.98.116 - - [27/Mar/1997:19:17:43 +0800] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 759
>
> Besides, I hope to know how can I prove whether there is someone who
> tried to hack or had hacked my WWWW server?? My old httpd was the NCSA
> HTTPd 1.3. As the document in the NCSA's offical site, it said there's
> control codes in the access then there's someone attend to hack your server.
> There's no any control code in my access_log file, but I doubt someone
> hacked my server through the httpd daemon, and I hope someone can help me
> to prove that.
