[2954] in WWW Security List Archive
Re: 'phf' cgi-bin attack
daemon@ATHENA.MIT.EDU (Ray W. Hiltbrand)
Tue Sep 17 11:40:07 1996
Date: Tue, 17 Sep 1996 08:50:39 -0500
From: "Ray W. Hiltbrand" <Ray.W.Hiltbrand@Eng.Auburn.EDU>
To: Tony Beaumont <beaumoaj@helios.aston.ac.uk>
CC: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Tony Beaumont wrote:
>
> > Many Spanish ISPs are receiving attack attempts on their WWW servers...
> >
> > info26.jet.es - - [04/Sep/1996:03:17:21 +0100] "GET
> > /cgi-bin/phf?Qalias=x%0a/bin/ls%20-la%20/ HTTP/1.0" 404 -
> > infovia36_bcn.tinet.fut.es - - [04/Sep/1996:08:52:05 +0100] "GET
> > /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
> >
> > Obviously attempting to get the passwd file.
>
> Yes, and it works
> /cgi-bin/phf?Qalias=x%0a/bin/ypcat%20passwd
> /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
> return the password file and the output from ypcat.
>
> In general, this seems to be a way of executing commands on the
> server. I guess the commands are executed as 'nobody' but I'll have to
> check that.
It will be executed under the uid the server is running under. So
if the server is configured to run under nobody then that who
the script will run under.
>
> > Does anyone know what this 'phf' cgi-bin is supposed to be?
>
> The source of phf comes with NCSA Httpd Server v1.5a (and probably with
> other versions too). I'd suggest deleting it from your cgi-bin if you
> have it. I have a copy of the source if anyone wants me to post it to
> the list.
>
> -Tony Beaumont
> Aston university
We ended up replacing the phf script with a script that tried to find
out as much info about the site running the script. Does things like
sfingers, ident, etc.... Real nice. We have slamed a few hackers
since putting it into place.
-- Ray
--
Ray W. Hiltbrand Ray.W.Hiltbrand@eng.auburn.edu
Engineering Network Services
Auburn University http://www.eng.auburn.edu/~rayh/rayh.html
If it doesn't do what you want, subclass and override.
