LISTSERV - HP3000-L Archives

HP3000-L Archives

May 1997, Week 1

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L May 1997, Week 1

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Warning to hp3000-based web server maintainers
From:	Chris Bartram <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Wed, 7 May 1997 19:40:26 -0400
Content-Type:	Text/Plain
Parts/Attachments:	Text/Plain (51 lines)

Hello,

  While this is a common trick in the Unix world, there is a program
called 'phf' that is distributed with most every web server distribution
in the world today, and a very commonly known "hack" to get it to return
files (like /etc/passwd on Unix systems) to any user sending a properly
formatted command to the web server over the net.
  While there's no /etc/passwd on a 3000 to worry about, the phf program
is probably still best disabled or removed. It's in the cgi-bin directory
of your web server software.
  If you think people don't know about and try to take advantage of this
trick, here's an excerpt from our server's error log (note these appear
in our error log because we removed the phf program -- if you didn't, you
might want to search your *access* log for evidence of attempted intruders):

/WWW/WWW/ARPA/httpd_1.3/logs>cat error | grep phf
[Sun Mar 23 11:22:39 1997] httpd: access to /cgi-bin/phf?Qname=%0Acat%20/etc/p
swd denied for t6o16p8.telia.com, reason: file not found
[Sun Apr  6 17:37:06 1997] httpd: access to /cgi-bin/phf?Qalias=x%0a/bin/cat%2
etc/passwd denied for wxs7-2.worldaccess.nl, reason: file not found
[Tue Apr  8 15:17:31 1997] httpd: access to /cgi-bin/phf?Qalias=x%0a/bin/cat%2
etc/passwd denied for wxs8-14.worldaccess.nl, reason: file not found
[Thu Apr 17 06:47:50 1997] httpd: access to /cgi-bin/phf?Q=%0aid denied for pc
-slip.ccs-stag.deakin.edu.au, reason: file not found
[Mon Apr 21 15:03:31 1997] httpd: access to /cgi-bin/phf?Qalias=x%0a/bin/cat%2
etc/passwd denied for wxs8-4.worldaccess.nl, reason: file not found
[Wed Apr 23 06:58:00 1997] httpd: access to /cgi-bin/phf?Qname=asd=%0acat%20/e
/passwd denied for wimol2.wimol.ksc.co.th, reason: file not found
[Mon May  5 06:27:41 1997] httpd: access to /cgi-bin/phf?Qalias=x%0a/bin/cat%2
etc/passwd denied for 139.134.243.139, reason: file not found

That's seven dweebs that have tried to get /etc/passwd on our *hp3000* just
since March 23 (when our current log file started).

While I don't know if phf can get to files in other accounts on the 3000(?),
it's still best disabled. Be careful out there.

               -Chris Bartram


______________________/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_
  Chris Bartram        Sales (US):   800 Net-Mail    Fax:+1 703 451-3720
   ______                         +1 703 569-9189    mailto:[log in to unmask]
  /__ |  \__________   Sales (Europe):+44(1480)414131 Fax:+44(1480)414134
 /  / | / ________     Sales (Pacific Rim):+61 3 9489 8216 (same for fax)
|  /_ |<  ______       Tech Support:+1 703 569-9189  Fax:+1 703 451-3720
 \ __)| \ ___          mailto:[log in to unmask]       Me: mailto:[log in to unmask]
  \______/Associates,  6901 Old Keene Mill Rd Suite 500 Springfield VA 22150
_________________Inc._/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_/\_
Gopher: gopher.3k.com   Anon-FTP: ftp.3k.com  WWW: http://www.3k.com/

ATOM RSS1 RSS2

RAVEN.UTC.EDU