On Mon, 1 Jul 1996, Brian Mitchell wrote: > On Wed, 26 Jun 1996, Paul Danckaert wrote: > > > > We have seen quite an increase in web-related attacks, specifically > > trying to exploit cgi's with %0a (newline) characters, trying to grab > > password files, and run other commands. I would recomend grep'ing > > through some of your web server logs looking for passwd, %0a, %0A, and > > things like that. Just in the last few weeks these attacks have > > increased to the point of several a week. > > > > Are there any other common programs (besides phf) that are linked with > the util.c code that has the newline problem? I thought phf was the main > problem - so a grep of phf is probably more useful (or replace phf with > some perl code that mails you their vital information when it is run). Not out of the default (old) NCSA cgi-src distribution.. atleast that I know of. Phf is the main problem, but people try that sort of thing on other CGIs also. If it looks like it could run a program, people give it a shot. Now, most of the scans we get are for phf, though people look for some of the other default programs also. (finger, date, etc..) I'm assuming they are either information gathering and looking for sites with default software installations, or just mucking about looking for programs to link to or something. The PHF scans are almost always in one of 3 formats... I've seen two types of queries with an embedded cat /etc/passwd in the moddle, and one type with an embedded id command in there. These are probably the common attack scripts in the hacker community right now.. Myself, I prefer putting in a replacement script to PHF. You could have it look real, but fail the password grab, or even be a bit sneakier and return a false password file. (With an easily crackable password on a non existant account, that swatch watches for, perhaps..) The real problem is just people who install software by default. All of the cgi programs end up installed, and stay there over version updates.. a dozen network services are enabled in inetd.conf (and other places), but only 3 or 4 are actually used.. paul