On Wed, 4 Jun 1997, Stan Wnuck wrote:
> Hi all,
> I have noticed on my WWW log files the following 2 entries.
> some.remote.location.edu - - [28/Apr/1997:01:33:21 +0015] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 140
> some.remote.location.edu - - [28/Apr/1997:01:33:23 -74587788] "GET /cgi-bin/php.cgi?/etc/passwd" 404 143
> Does anyone know anything about these cgi scripts or programs?
> Or how dangerous this is?
You have just been hacked.
Get rid of the phf script. It is has a major security hole. (You may
want to upgrade your server to something more recient as well, as there
are other holes to worry about.)
Change all passwords. They have your password file and are probably
running crack on it as you read this.
com | "Those who are without history are doomed to retype it."