From owner-freebsd-isp  Sun Jan 26 20:11:08 1997
Return-Path: <owner-isp>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id UAA15642
          for isp-outgoing; Sun, 26 Jan 1997 20:11:08 -0800 (PST)
Received: from ns.cs.hku.hk ([147.8.178.10])
          by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id UAA15634
          for <freebsd-isp@freebsd.org>; Sun, 26 Jan 1997 20:11:04 -0800 (PST)
Received: from indigo10 (indigo10.cs.hku.hk) by ns.cs.hku.hk  with SMTP id AA03290
	(5.67b/IDA-1.5 for <freebsd-isp@freebsd.org>)
	Mon, 27 Jan 1997 12:10:36 +0800
Received: by indigo10 (940816.SGI.8.6.9/S2.0-irix)
	id MAA25711; Mon, 27 Jan 1997 12:09:57 +0800
Date: Mon, 27 Jan 1997 12:09:57 +0800 (HKT)
From: Doug Kwan ~{9XUq5B~} <ctkwan@cs.hku.hk>
To: Christian Hochhold <expert@dusk.net>
Cc: freebsd-isp@freebsd.org
Subject: Re: possible phf exploit?
In-Reply-To: <199701260743.DAA06284@eternal.dusk.net>
Message-Id: <Pine.SGI.3.91.970127120818.25691A-100000@indigo10>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-isp@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk



On Sun, 26 Jan 1997, Christian Hochhold wrote:

> Evenin'
> 
> While checking my access logs I came across a few very interesting
> things.. someone trying to get to the passwd file through pfh.
> The logs showed the attempted access as being in the following format:
> 
> /cgi-bin/phf/Q?alias=x%ff/bin/cat%20/etc/passwd
> 

Diasble phf immediately by "chmod a-x phf". Somebody is trying to
get your password file. 

-Doug Kwan
 Dept. of Computer Science
 University of Hong Kong