[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

to hack, or not to hack ...

Recently one of our machines was hacked.  Im not sure how many people know
about this hack, but, any machine that does not have a shadow password
facility and has a common CGI program called phf is susceptable to attack.

You can use phf to more/grep the etc/passwd file.  The way you can check if
youve been hacked is to grep your logs file for phf.  A failed attack will
look like so;

access_log:aksess-gw3-4.ppp.sn.no unknown - [18/Nov/1996:15:10:36 +1100] 
"GET /cgi-bin/phf?Qname=%0Acat%20/etc/passwd HTTP/1.0" 404 -

access_log:aksess-gw3-4.ppp.sn.no unknown - [18/Nov/1996:15:16:04 +1100] 
"GET /cgi-bin/phf?Qname=%0Acat%20/etc/passwd HTTP/1.0" 404 -

A successfull attack will look the same without the 404 - at the end of the

just thought you guys would be intrested.    


- mIcHaEl

  ///\  The Australian Internet Company
  c-00  ISP par Excellence
  \  >  http://www.electric-rain.net/ 		(mine)
  |\_-  http://www.aic.net.au/			(not mine)
  \ /

	   "On the Plains of Hesitation bleach the bones of countless millions who,
	    at the dawn of victory, sat down to wait and waiting died."  
			   	 			-G.W Cecil/Adlai Stevenson.

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to: