copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
» AL-96.06 -- Continued HTTP server attacks using PHF
AL-96.06 -- Continued HTTP server attacks using PHF
Date:
06 January 1997
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AL-96.06 AUSCERT Alert Continued HTTP server attacks using PHF 24 September 1996 Last Revised: 6 January, 1997 Changed contact information A complete revision history is at the end of this file. - --------------------------------------------------------------------------- In recent weeks, AUSCERT, and other Incident Response Teams, have seen a global increase in the number of attacks on sites using a well known vulnerability in older versions of the CGI-BIN program "phf". These attacks are using automated scripts that have been widely distributed amongst the intruder community. The vulnerable version of "phf" was originally supplied as an example CGI-BIN program with the NCSA httpd distribution, prior to 1.5.1, and the Apache httpd distribution, prior to 1.0.4. The vulnerability in the earlier versions of "phf" allow remote users to retrieve any world readable files, execute arbitrary commands and create files on the server with the privileges of the httpd process which answers HTTP requests. This may be used to compromise the http server and under certain configurations gain privileged access. For a full description of this vulnerability, and suggested work arounds, see the updated version of the AUSCERT Advisory AA-96.01: "Vulnerability in NCSA/Apache CGI example code" which can be retrieved from: ftp://ftp.auscert.org.au/pub/auscert/advisory/ AA-96.01.Vulnerability.in.NCSA.Apache.CGI.example.code If sites in the Pacific Rim area find any evidence showing that they have been probed using this method, they are encouraged to report the incident to AUSCERT. Reports of all attacks help AUSCERT gain a better overview of intruder activity within the constituency. All other sites should report security incidents, such as these, to their local Incident Response Team. - ---------------------------------------------------------------------------- The AUSCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team c/- Prentice Centre The University of Queensland Brisbane Qld. 4072. AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History Jan 6, 1997 Information on who to contact in the event of an attack was changed to point people to their local Incident Response Team. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBMtEElCh9+71yA2DNAQE7ZAP+Pm3stKliq75G7E9/B4wXSWBydCXuib2d XBzEX0dHtUaStZDCCa2XZd5aS0l7ql1rhcoVXNt2ec17osIzFQJF/N3WKYIrl4eO ygty24Zp+jY6SdZyjX966wJfx95f/GQR8LUyvPRcOGwWjTzRi6hvuCVELugLwwOZ EgEVbBjELR8= =90pl -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=1&it=73