This posting is a summary for people like myself who know they will never be rocket scientists. Unix Wizards can safely ignore it. Based on postings on this list and firewalls, there is a frequently exploited hole in some www server installations. A script is being used by hackers that tries to use the phf program that came with some cgi application gateways to steal a copy of the server's password file. Log on the system console as root and change to the appropriate directory, something like cd /users/inet/admin and type egrep "passwd|\%0a|\%OA" *access then wait for a while. If you have been attacked, a response something like the following will be returned: 960412access:198.69.26.81 - - [12/Apr/1996:04;24;42 -0400] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 404 207 slip50.genstar.net - - [02/Jul/1996:16:46:55 -0700] "GET /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd HTTP/1.0" 200 27121 The last group of digits in each response shows the number of bytes transmitted. The second to last group of digits is the status code returned. A status code in the 200 range shows the hack worked. A status code in the 400 range shows the hack failed. In the examples shown above, the first attempt failed (404 207). The second attempt worked and the password file was transmitted (200 27121). Hog Farmer Tropical Hog Improvement Programme (If anyone knows of a rustler proof hog-pen, please let me know)