Re: rootkit and other bits'n'pieces.

Paul Danckaert (pauld@umbc.edu)
Fri, 5 Jul 1996 16:26:20 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Matt Bishop: "[2nd Posting] CFP: Symposium on Network and Distributed System Security"
Previous message: brian: "Re: Up Yours!"
In reply to: Brian Mitchell: "Re: rootkit and other bits'n'pieces."
Next in thread: Jan Koum: "Re: rootkit and other bits'n'pieces."

On Mon, 1 Jul 1996, Brian Mitchell wrote:

> On Wed, 26 Jun 1996, Paul Danckaert wrote:
> > 
> > We have seen quite an increase in web-related attacks, specifically 
> > trying to exploit cgi's with %0a (newline) characters, trying to grab 
> > password files, and run other commands.  I would recomend grep'ing 
> > through some of your web server logs looking for passwd, %0a, %0A, and 
> > things like that.  Just in the last few weeks these attacks have 
> > increased to the point of several a week.  
> > 
> 
> Are there any other common programs (besides phf) that are linked with 
> the util.c code that has the newline problem? I thought phf was the main 
> problem - so a grep of phf is probably more useful (or replace phf with 
> some perl code that mails you their vital information when it is run).

Not out of the default (old) NCSA cgi-src distribution.. atleast that I 
know of.  Phf is the main problem, but people try that sort of thing on 
other CGIs also.  If it looks like it could run a program, people give it 
a shot.

Now, most of the scans we get are for phf, though people look for some of 
the other default programs also.  (finger, date, etc..)  I'm assuming 
they are either information gathering and looking for sites with default 
software installations, or just mucking about looking for programs to 
link to or something.  The PHF scans are almost always in one of 3 
formats... I've seen two types of queries with an embedded cat 
/etc/passwd in the moddle, and one type with an embedded id command in 
there.  These are probably the common attack scripts in the hacker 
community right now..

Myself, I prefer putting in a replacement script to PHF.  You could have 
it look real, but fail the password grab, or even be a bit sneakier and 
return a false password file.  (With an easily crackable password on a 
non existant account, that swatch watches for, perhaps..)  The real 
problem is just people who install software by default.  All of the cgi 
programs end up installed, and stay there over version updates.. a dozen 
network services are enabled in inetd.conf (and other places), but only 3 
or 4 are actually used..

paul

Next message: Matt Bishop: "[2nd Posting] CFP: Symposium on Network and Distributed System Security"
Previous message: brian: "Re: Up Yours!"
In reply to: Brian Mitchell: "Re: rootkit and other bits'n'pieces."
Next in thread: Jan Koum: "Re: rootkit and other bits'n'pieces."