[716] in Intrusion Detection Systems
Summary on the phf web server hack.
daemon@ATHENA.MIT.EDU (adamsb@un.org)
Tue Jul 16 23:51:54 1996
From: adamsb@un.org
Date: Mon, 15 Jul 96 11:26:06 EST
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
This posting is a summary for people like myself who know they will
never be rocket scientists. Unix Wizards can safely ignore it.
Based on postings on this list and firewalls, there is a frequently
exploited hole in some www server installations. A script is being
used by hackers that tries to use the phf program that came with some
cgi application gateways to steal a copy of the server's password file.
Log on the system console as root and change to the appropriate
directory, something like
cd /users/inet/admin
and type
egrep "passwd|\%0a|\%OA" *access
then wait for a while.
If you have been attacked, a response something like the following
will be returned:
960412access:198.69.26.81 - - [12/Apr/1996:04;24;42 -0400]
"GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207
slip50.genstar.net - - [02/Jul/1996:16:46:55 -0700]
"GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 27121
The last group of digits in each response shows the number of bytes
transmitted. The second to last group of digits is the status code
returned.
A status code in the 200 range shows the hack worked.
A status code in the 400 range shows the hack failed.
In the examples shown above, the first attempt failed (404 207).
The second attempt worked and the password file was transmitted
(200 27121).
Hog Farmer
Tropical Hog Improvement Programme
(If anyone knows of a rustler proof hog-pen, please let me know)
