From owner-freebsd-security Mon Sep 21 01:18:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA24855 for freebsd-security-outgoing; Mon, 21 Sep 1998 01:18:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA24818 for ; Mon, 21 Sep 1998 01:18:21 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id JAA08547; Mon, 21 Sep 1998 09:17:46 +0100 (BST) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by bofh.fast.net.uk (8.9.1/8.8.8) with SMTP id JAA05998; Mon, 21 Sep 1998 09:17:44 +0100 (BST) (envelope-from netadmin@fastnet.co.uk) Date: Mon, 21 Sep 1998 09:17:44 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: "Eric J. Schwertfeger" cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Bogus hits on our Web server In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | > We've gotten several spates of Web log entries like the following: | > | > 62.8.15.131 unknown - [20/Sep/1998:10:43:16 -0600] "GET /cgi-bin/phf" 404 - | > 62.8.15.131 unknown - [20/Sep/1998:10:43:17 -0600] "GET /cgi-bin/test-cgi" | > 404 - | > 62.8.15.131 unknown - [20/Sep/1998:10:43:18 -0600] "GET /cgi-bin/handler" | > 404 - | | I've got our web server emailing me every time a 404 pops up on the | assumption that our site, or one of the sites we host, has a broken link. | The blind stab at /cgi-bin/phf has been happening for a very long time, | though it has suddenly become more popular. The other two I hadn't seen | much of until recently. | | I definitely suspect script-kiddies, enough that I want to set those to | pop up a page saying "Just what do you expect to find here?" Or at least | dump all the parameters. Hmmmm..... The phf problem is quite an old exploit - all it does (AFAIR) is dump a list of current environment variables as a HTML page. The exploit was basically that it didn't do any sanity-checking[1] on the variables so a cracker could do, for example: http://yourowned.com/cgi-bin/test-cgi?ohdear=`cat /etc/passwd` [1] probably not the right word, but who cares.. it's monday :) More info is in the httpd.conf file, thus: # This controls which options the .htaccess files in directories can # script on phf.apache.org. Or, you can record them yourself, using the # script support/phf_abuse_log.cgi. # #deny from all #ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi # Regards, Jay Tribick -- [| Network Admin | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact info & PGP PubKey |] [| +44 (0)1273 T: 677633 F: 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message