From owner-freebsd-hackers Tue Jan 6 17:42:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.7/8.8.7) id RAA19918 for hackers-outgoing; Tue, 6 Jan 1998 17:42:07 -0800 (PST) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from seidata.com (seidata.com [206.160.242.33]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA19858 for ; Tue, 6 Jan 1998 17:41:53 -0800 (PST) (envelope-from mike@seidata.com) Received: from localhost (mike@localhost) by seidata.com (8.8.8/8.8.5) with SMTP id UAA01566; Tue, 6 Jan 1998 20:41:13 -0500 (EST) Date: Tue, 6 Jan 1998 20:41:13 -0500 (EST) From: Mike To: Brian Handy cc: freebsd-hackers@FreeBSD.ORG Subject: Re: HTTPD Question In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk On Tue, 6 Jan 1998, Brian Handy wrote: > So, when I get something like this in my logs, what do you think it > means? It seems to mean someone is attempting to exploit phf on your system. One popular phf "exploit" involves catting the password file to one's browser. This is nothing to worry about if you don't have phf on your system (the error messages you posted said you didn't). Of course, the same guy that attempted to exploit phf on your system may be trying other things as well... I would suggest either uncommenting the lines in your access.conf file that forward these requests to http://phf.apache.org or looking into a script that logs these instances, trys to query for information about the attacker and mails the results to root (just search for 'phf' on the web - there are a couple different scripts like this out there). --- Mike Hoskins Kettering University SEI Data Network Services, Inc. CS/CE Major Program mike@seidata.com hosk0094@kettering.edu http://www.seidata.com http://www.kettering.edu