[13152] in bugtraq
AltaVista followup and monitor script
daemon@ATHENA.MIT.EDU (Edward Glowacki)
Thu Dec 30 14:19:09 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.4.21.9912292256090.46516-100000@key-largo.cl.msu.edu>
Date: Wed, 29 Dec 1999 23:33:22 -0500
Reply-To: glowack2@msu.edu
From: Edward Glowacki <glowack2@KEY-LARGO.CL.MSU.EDU>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
---------- Snippet of forwarded message ----------
have a nice Y2K-BUG
rudicarell@hotmail.com
other infos:
vulnerable: altavista search intranet 2.??
type: Input Validation Error
object: query?
remote: yes
vendor: altavista .. got informed ~3 month ago)
---------- End snippet ---------
Thanks to rudi for the initial post earlier today. I was able to verify
the vulnerability in 2.0b and 2.3a (with the patch) on Digital Unix. I
emailed AltaVista tech support shortly after reading the message to
inquire about a patch to fix this hole, hopefully they'll get one out
soon. At the end of this message is a simple perl script I wrote to watch
the log file and send a short email when someone grabs the mgtstate file.
I can't stop intruders from getting my password, but at least I can have
some idea that my password has escaped.
--
Edward Glowacki glowack2@msu.edu
MSU AltaVista Administrator
Network Services
Michigan State University
#!/bin/perl
#
# Simple perl script to watch your logfile and notify you if someone tries to
# get at mgtstate to grab your AltaVista admin password. Not elegant, but it
# should work. It will check the whole log file from the beginning and
# continue to monitor until interrupted (probably just want to put it in
# the background and let it go). Tested on Digital Unix 4.0D. Use at your
# own risk.
#
# useage: watch logfile email <identifier>
# optional identifier to distinguish different servers if needed
$logfile = "";
$email = "";
$identifier = "";
$logfile = $ARGV[0];
shift;
$email = $ARGV[0];
shift;
$identifier = $ARGV[0];
shift;
if($logfile eq "" || $email eq "") {
print("Need a logfile and email address, i.e.:\n");
print(" watch httpd/logs/access_log someone\@somewhere.com\n");
exit(0);
}
open(ACCESS,"/bin/tail -f -c +0 $logfile |") || die "Can't open tail of log file";
while(<ACCESS>) {
if(/mgtstate/) {
open(MAIL,"|/bin/mailx -s \"AltaVista intruder: mgtstate access\" $email");
if($identifier ne "") {
print(MAIL "Ident: $identifier\n\n");
}
print(MAIL "$_");
close(MAIL);
}
}
