[705] in Intrusion Detection Systems
Re: rootkit and other bits'n'pieces.
daemon@ATHENA.MIT.EDU (Brian Mitchell)
Fri Jul 5 15:30:34 1996
Date: Mon, 1 Jul 1996 19:18:52 -0400 (EDT)
From: Brian Mitchell <brian@saturn.net>
To: ids@uow.edu.au
In-Reply-To: <Pine.SGI.3.91.960626103836.29419B-100000@umbc7.umbc.edu>
Reply-To: ids@uow.edu.au
On Wed, 26 Jun 1996, Paul Danckaert wrote:
>
> On Wed, 26 Jun 1996, Darren Reed wrote:
>
> [ObSecurityNote]
>
> We have seen quite an increase in web-related attacks, specifically
> trying to exploit cgi's with %0a (newline) characters, trying to grab
> password files, and run other commands. I would recomend grep'ing
> through some of your web server logs looking for passwd, %0a, %0A, and
> things like that. Just in the last few weeks these attacks have
> increased to the point of several a week.
>
Are there any other common programs (besides phf) that are linked with
the util.c code that has the newline problem? I thought phf was the main
problem - so a grep of phf is probably more useful (or replace phf with
some perl code that mails you their vital information when it is run).
Brian Mitchell brian@saturn.net
Unix Security / Perl / WWW / CGI http://www.saturn.net/~brian
"I never give them hell. I just tell the truth and they think it's hell"
- H. Truman
