Date: Mon, 21 Sep 1998 09:17:44 +0100 (BST) From: Jay Tribick <netadmin@fastnet.co.uk> To: "Eric J. Schwertfeger" <ejs@bfd.com> Cc: Brett Glass <brett@lariat.org>, security@FreeBSD.ORG Subject: Re: Bogus hits on our Web server Message-ID: <Pine.BSF.3.96.980921091437.5960C-100000@bofh.fast.net.uk> In-Reply-To: <Pine.BSF.4.01.9809202151170.8446-100000@harlie.bfd.com>
next in thread | previous in thread | raw e-mail | index | archive | help
| > We've gotten several spates of Web log entries like the following: | > | > 62.8.15.131 unknown - [20/Sep/1998:10:43:16 -0600] "GET /cgi-bin/phf" 404 - | > 62.8.15.131 unknown - [20/Sep/1998:10:43:17 -0600] "GET /cgi-bin/test-cgi" | > 404 - | > 62.8.15.131 unknown - [20/Sep/1998:10:43:18 -0600] "GET /cgi-bin/handler" | > 404 - | | I've got our web server emailing me every time a 404 pops up on the | assumption that our site, or one of the sites we host, has a broken link. | The blind stab at /cgi-bin/phf has been happening for a very long time, | though it has suddenly become more popular. The other two I hadn't seen | much of until recently. | | I definitely suspect script-kiddies, enough that I want to set those to | pop up a page saying "Just what do you expect to find here?" Or at least | dump all the parameters. Hmmmm..... The phf problem is quite an old exploit - all it does (AFAIR) is dump a list of current environment variables as a HTML page. The exploit was basically that it didn't do any sanity-checking[1] on the variables so a cracker could do, for example: http://yourowned.com/cgi-bin/test-cgi?ohdear=`cat /etc/passwd` [1] probably not the right word, but who cares.. it's monday :) More info is in the httpd.conf file, thus: # This controls which options the .htaccess files in directories can # script on phf.apache.org. Or, you can record them yourself, using the # script support/phf_abuse_log.cgi. #<Location /cgi-bin/phf*> #deny from all #ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi #</Location> Regards, Jay Tribick <netadmin@fastnet.co.uk> -- [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980921091437.5960C-100000>