Stan -- Someone from some.remote.location.edu is attempting to capture your
/etc/passwd file (password file). It appears that they may have succeeded.
I'd suggest you take your server down (off the internet) until you are able
to insure you have not been compromised. TO be safe, you will want to
change all of your passwords. Also, remove the cgi-bin scripts if you don't
need them, or at least change the permissions on them so that only the
script owners have rwx to them.
On Wed, 4 Jun 1997, Stan Wnuck wrote:
> Hi all,
> I have noticed on my WWW log files the following 2 entries.
> some.remote.location.edu - - [28/Apr/1997:01:33:21 +0015] "GET /cgi-bin/phf?Jserver=ns.uiuc.edu%0Acat%20/etc/passwd%0Aypcat%20passwd%0Apwd%0Aid%0Auname%20-a%0A&Qalias=&Qname=foo&Qemail=&Qnickname=&Qoffice_phone=&Qcallsign=&Qproxy=&Qhigh_school=&Qslip= HTTP/1.0" 200 140
> some.remote.location.edu - - [28/Apr/1997:01:33:23 -74587788] "GET /cgi-bin/php.cgi?/etc/passwd" 404 143
> Does anyone know anything about these cgi scripts or programs?
> Or how dangerous this is?
> I changed the real source location to a fake some.remote.location.edu to
> not let out the bag of the source of this hack, since I am not sure what
> my next move would be.
> Thanks in advance.
> Stan Wnuck swnuck @
> Unixpros, Inc.
> 10 Industrial Way East (908) 389-3295 x542
> Eatontown, NJ 07724 (908) 389-5461 Fax
> PM-CHS Technology Insertion Office
> Ft. Monmouth Army Base, NJ (908) 427-2033 / 427-6963
Gary G. Hull - Technical Consultant
Howard Systems International - Glaxo Wellcome Inc.
Five Moore Drive - Raleigh, North Carolina 27709
Tel : (919) 941-4867 - Fax : (919) 483-0056
email: ggh14854 @