Chris Bartram writes:
>   While this is a common trick in the Unix world, there is a program
> called 'phf' that is distributed with most every web server distribution
> in the world today, and a very commonly known "hack" to get it to return
> files (like /etc/passwd on Unix systems) to any user sending a properly
> formatted command to the web server over the net.

Apache/iX does *not* include phf.

Because I see these phf attempts against my own systems several times per
week, I wrote a cute little Perl CGI script to trap these requests, send me
an e-mail that lists all identifying environment information about the
attacker, and then display a cute little page back to the attacker warning
them that their feeble attempt has been detected.

To see it from an attacker's point of view, visit:

        http://www.cccd.edu/cgi-bin/phf?hp3000-l

The hp3000-l part is just to let me know it's one of you guys and not an
actual break-in attempt.

The substitute script that does this is listed below:

#!/usr/bin/sh

webmaster="[log in to unmask]"
set | /usr/bin/mailx -s "WARNING: phf hack attack" $webmaster

echo "Content-Type: text/html\n\n"

cat - <<EOF
<HTML>
<HEAD><TITLE>Get A Life!</TITLE>
<BODY>
<H1>Get A Life!</H1>
<P>Your <A HREF="ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code">phf hack attack</A> has been intercepted, and the following identification
information has just been sent to the webmaster of this machine:</P>
<PRE>
EOF

set | grep -e ^HTTP -e ^PATH_INFO -e ^QUERY_STRING -e ^REMOTE

cat - <<EOF
</PRE>
<P>Why don't you find something more constructive to do with the obviously
excessive free time you have on your hands?</P>
</BODY>
</HTML>
EOF
--
Mark Bixby                      E-mail: [log in to unmask]
Coast Community College Dist.   Web: http://www.cccd.edu/~markb/
District Information Services   1370 Adams Ave, Costa Mesa, CA, USA 92626-5429
Technical Support               +1 714 438-4647
"You can tune a file system, but you can't tune a fish." - tunefs(1M)