From owner-freebsd-isp Sun Jan 26 00:20:25 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id AAA26283 for isp-outgoing; Sun, 26 Jan 1997 00:20:25 -0800 (PST) Received: from pinky.junction.net (pinky.junction.net [199.166.227.12]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id AAA26278 for ; Sun, 26 Jan 1997 00:20:23 -0800 (PST) Received: from sidhe.memra.com (sidhe.memra.com [199.166.227.105]) by pinky.junction.net (8.6.12/8.6.12) with ESMTP id AAA22296 for ; Sun, 26 Jan 1997 00:20:22 -0800 Received: from localhost (michael@localhost) by sidhe.memra.com (8.6.12/8.6.12) with SMTP id AAA09870 for ; Sun, 26 Jan 1997 00:17:00 -0800 Date: Sun, 26 Jan 1997 00:16:59 -0800 (PST) From: Michael Dillon To: freebsd-isp@FreeBSD.ORG Subject: Re: possible phf exploit? In-Reply-To: <199701260743.DAA06284@eternal.dusk.net> Message-ID: Organization: Memra Software Inc. - Internet consulting MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-isp@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sun, 26 Jan 1997, Christian Hochhold wrote: > The logs showed the attempted access as being in the following format: > > /cgi-bin/phf/Q?alias=x%ff/bin/cat%20/etc/passwd How do you think the US Air Force and the US Department of Justice websites were hacked? Grab the passwd file, run crack, log in and slash and burn. Good thing FreeBSD uses shadow passwords, eh? But the spammers use this trick too so just make sure that you delete the useless phf program from all your servers if it is still there. Michael Dillon - Internet & ISP Consulting Memra Software Inc. - Fax: +1-250-546-3049 http://www.memra.com - E-mail: michael@memra.com