From owner-freebsd-hackers  Wed Jan  7 09:52:20 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id JAA21343
          for hackers-outgoing; Wed, 7 Jan 1998 09:52:20 -0800 (PST)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from brady.appliedtheory.com (brady.appliedtheory.com [192.77.173.64])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA21302
          for <freebsd-hackers@freebsd.org>; Wed, 7 Jan 1998 09:52:08 -0800 (PST)
          (envelope-from brady@brady.appliedtheory.com)
Received: from brady.appliedtheory.com (localhost [127.0.0.1])
	by brady.appliedtheory.com (8.8.8/8.8.5) with ESMTP id MAA05147;
	Wed, 7 Jan 1998 12:53:31 -0500 (EST)
Message-ID: <34B3C117.EC1D3556@brady.appliedtheory.com>
Date: Wed, 07 Jan 1998 12:53:28 -0500
From: Michael Brady <brady@brady.appliedtheory.com>
Reply-To: mbrady@appliedtheory.com
Organization: AppliedTheory Communications, Inc.
X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.5-STABLE i386)
MIME-Version: 1.0
To: Brian Handy <handy@sag.space.lockheed.com>
CC: freebsd-hackers@FreeBSD.ORG
Subject: Re: HTTPD Question
References: <Pine.OSF.3.96.980106140553.25588W-100000@sag.space.lockheed.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk

Brian Handy wrote:

> So, when I get something like this in my logs, what do you think it means?
>
> ahab.rutgers.edu - - [06/Jan/1998:10:33:18 -0800] "GET
> /cgi-bin/phf?Jserver=x%0auname%20-a%0aid%0aecho%20lamer%0a&Qname=x
> HTTP/1.0" 404 164
>
> And httpd-errors:
>
> [Tue Jan  6 10:33:18 1998] access to /usr/local/www/cgi-bin/phf failed for
> ahab.rutgers.edu, reason: script not found or unable to stat
>
> Running apache-1.2.4, and I don't have any CGI scripts available to run.
> Just wondering out loud if I've got a problem.
>

FYI, you're not alone. The same prick tried to hit my system too with this
old exploit:

ahab.rutgers.edu - - [06/Jan/1998:17:48:52 -0500] "GET
/cgi-bin/phf?Jserver=x%0auname%20-a%0aid%0aecho%20lamer%0a&Qname=x HTTP/1.0"
404 154

Jserver=x;uname -a;id;echo lamer;
Qname=x

This would of just relayed your systems basic information (type & version)
and the server user's info.

I guess he got ahold of some list and went nuts. The machine's IP is
128.6.142.5 and is not online when I checked (pings failed). Hopefully it's
because people flooded the bastard. Anyone else get hit?