Date: 06 January 1997
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AL-96.06 AUSCERT Alert
Continued HTTP server attacks using PHF
24 September 1996
Last Revised: 6 January, 1997
Changed contact information
A complete revision history is at the end of this file.
- ---------------------------------------------------------------------------
In recent weeks, AUSCERT, and other Incident Response Teams, have seen a
global increase in the number of attacks on sites using a well known
vulnerability in older versions of the CGI-BIN program "phf". These
attacks are using automated scripts that have been widely distributed
amongst the intruder community.
The vulnerable version of "phf" was originally supplied as an example
CGI-BIN program with the NCSA httpd distribution, prior to 1.5.1, and the
Apache httpd distribution, prior to 1.0.4.
The vulnerability in the earlier versions of "phf" allow remote users to
retrieve any world readable files, execute arbitrary commands and create
files on the server with the privileges of the httpd process which answers
HTTP requests. This may be used to compromise the http server and under
certain configurations gain privileged access.
For a full description of this vulnerability, and suggested work
arounds, see the updated version of the AUSCERT Advisory AA-96.01:
"Vulnerability in NCSA/Apache CGI example code"
which can be retrieved from:
ftp://ftp.auscert.org.au/pub/auscert/advisory/
AA-96.01.Vulnerability.in.NCSA.Apache.CGI.example.code
If sites in the Pacific Rim area find any evidence showing that they have
been probed using this method, they are encouraged to report the incident
to AUSCERT. Reports of all attacks help AUSCERT gain a better overview
of intruder activity within the constituency. All other sites should
report security incidents, such as these, to their local Incident Response
Team.
- ----------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures. AUSCERT takes no responsibility for the consequences of
applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
AUSCERT is located at The University of Queensland within the Prentice Centre.
AUSCERT is a full member of the Forum of Incident Response and Security Teams
(FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
Jan 6, 1997 Information on who to contact in the event of an attack
was changed to point people to their local Incident
Response Team.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBMtEElCh9+71yA2DNAQE7ZAP+Pm3stKliq75G7E9/B4wXSWBydCXuib2d
XBzEX0dHtUaStZDCCa2XZd5aS0l7ql1rhcoVXNt2ec17osIzFQJF/N3WKYIrl4eO
ygty24Zp+jY6SdZyjX966wJfx95f/GQR8LUyvPRcOGwWjTzRi6hvuCVELugLwwOZ
EgEVbBjELR8=
=90pl
-----END PGP SIGNATURE-----
|