Bugtraq mailing list archives
PHF Attacks - Fun and games for the whole family
From: pauld () lemur org (Paul Danckaert)
Date: Mon, 23 Sep 1996 10:43:01 -0400
Greetings, Recently I have seen quite an upswing in attacks against web servers, with people trying exploit various CGI binaries, including Phf. Phf has a known vulnerability that is being widely exploited in how it handles certain escaped arguments. To let me know of attacks on sites via this vulnerability, I installed the following script on our web servers. I don't run phf on our systems, so there is no problem of interrupting normal activity. The script simply looks like the original PHF program, however it mails the security person whenever connections or probes are received. The idea of luring attacks and presenting false information in an interesting one, as an attacker needs to find a vulnerability to exploit to get into the system. If vulnerabilities are presented that are not legitimate, it is more difficult for an attacker to decide what is legitimate, and what is just bait. If people wish to attack a system, they take the risk that they are either falling into a trap, or actually getting into the system. Its interesting to blur the two. Along with scripts like below, people can play games with modified sendmail version lines, or even presenting false login screens with the tcp wrapper twist. In any case, the script below was just thrown together as an example. On some sites, I run one similar to it, and it works very well as an early warning against attacks. Before running it, I would certainly look it over to decide if its safe for your system. If you see problems, please let me know. Paul Danckaert pauld () lemur org ---------------------------------------------------------------------- #!/usr/bin/perl # # Pseudo-Phf - A not-quite-real phf replacement that provides a warning # against attacks, as well as presenting false # information to the attacker. # # Paul Danckaert (pauld () lemur org) # $email = "security () lemur org"; $sendmail = "/usr/lib/sendmail"; ### print "Content-type: text/html\n\n"; if ($ENV{"QUERY_STRING"} eq "") { do ShowForm(); $action = "Looked At Form"; } else { if ($ENV{"QUERY_STRING"} =~ /(\/|%2f)passwd/i) { do ShowBadPass(); $action = "Attempted Password Grab"; } else { $action = "Submitted Form"; } } $notice = "[/CGI-BIN/PHF] $action"; open(MAIL,"| $sendmail $email"); print MAIL "From: PHF Watcher <$email>\n"; print MAIL "To: $email\n"; print MAIL "Subject: $notice\n\n"; print MAIL "[AutoMessage from PHF]\n\n"; print MAIL "ENV List\n------------------------------------------\n"; foreach $var (keys %ENV) { $ENV{$var} =~ s/\n//g; print MAIL "$var \t $ENV{$var}\n"; } print MAIL ".\n\n"; close (MAIL); # # Print Error Message to the users request. # print <<"EOF"; <H1>Query Results</H1> /usr/local/bin/ph - Command not found <PRE> </PRE> EOF exit 0; sub ShowForm { print <<"EOF"; <TITLE>Form for CSO PH query</TITLE> <H1>Form for CSO PH query</H1> This form will send a PH query to the specified ph server. <HR> <FORM ACTION="/cgi-bin/phf"> PH Server:<INPUT TYPE="text" NAME="Jserver" VALUE="ns.uiuc.edu" MAXLENGTH="256"> <H3>At least one of these fields must be specified:</H3><UL> <LI><INPUT TYPE="text" NAME="Qalias" MAXLENGTH="32">Alias <LI><INPUT TYPE="text" NAME="Qname" MAXLENGTH="256">Name <LI><INPUT TYPE="text" NAME="Qemail" MAXLENGTH="128">E-mail Address <LI><INPUT TYPE="text" NAME="Qnickname" MAXLENGTH="120">Nickname <LI><INPUT TYPE="text" NAME="Qoffice_phone" MAXLENGTH="60">Office Phone Number <LI><INPUT TYPE="text" NAME="Qcallsign" MAXLENGTH="16">HAM Callsign <LI><INPUT TYPE="text" NAME="Qproxy" MAXLENGTH="64">Proxy <LI><INPUT TYPE="text" NAME="Qhigh_school" MAXLENGTH="30">High School <LI><INPUT TYPE="text" NAME="Qslip" MAXLENGTH="256">SLIP Address </UL> <A HREF="/cgi-bin/phf?Jform=16"><H3>Show additional fields to narrow query</H3></A> <A HREF="/cgi-bin/phf?Jform=1"><H3>Return more than default fields</H3></A> <INPUT TYPE="submit"> </FORM> <HR> <ADDRESS>Questions, comments to: <a href="http://www.ncsa.uiuc.edu/SDG/People/jbrowne/jbrowne.html">Jim Browne</a> </ADDRESS> EOF } sub ShowBadPass { print <<"EOF"; root:9IDv/CqdFuqWo:0:0:Super User:/:/bin/csh sysadm:*:0:0:System V Administration:/usr/admin:/bin/sh diag:*:0:996:Hardware Diagnostics:/usr/diags:/bin/csh daemon:*:1:1:daemons:/:/dev/null bin:*:2:2:System Tools Owner:/bin:/dev/null uucp:*:3:5:UUCP Owner:/usr/lib/uucp:/bin/csh fax:*:3:10:Fax:/var/spool/fax:/bin/sh sys:*:4:0:System Activity Owner:/var/adm:/bin/sh adm:*:5:3:Accounting Files Owner:/var/adm:/bin/sh lp::9:9:Print Spooler Owner:/var/spool/lp:/bin/sh nuucp::10:10:Remote UUCP User:/var/spool/uucppublic:/usr/lib/uucp/uucico auditor:*:11:0:Audit Activity Owner:/auditor:/bin/sh dbadmin:*:12:0:Security Database Owner:/dbadmin:/bin/sh rfindd:*:66:1:Rfind Daemon and Fsdump:/var/rfindd:/bin/sh EZsetup:*:992:998:System Setup:/usr/Cadmin:/bin/csh demos::993:997:Demonstration User:/usr/demos:/bin/csh tutor::994:997:Tutorial User:/usr/tutor:/bin/csh OutOfBox::995:997:Out of Box Experience:/usr/people/tour:/bin/csh guest::998:998:Guest Account:/usr/adm/guest:/bin/csh 4Dgifts::999:998:4Dgifts Account:/usr/people/4Dgifts:/bin/csh nobody:*:60001:60001:Nobody:/dev/null:/dev/null noaccess:*:60002:60002:uid no access:/dev/null:/dev/null nobody:*:-2:-2:original nobody uid:/dev/null:/dev/null www:*:20:10:The Web Slinger:/web/www:/bin/csh webadmin:ecKu77KmsNALs:0:0:Sysadmin web account:/:/bin/sh testact::1000:10:Test Account:/:/bin/sh ftp:*:60001:60001:FTP ACCOUNT:/ftp:/dev/null EOF }
Current thread:
- PHF Attacks - Fun and games for the whole family Paul Danckaert (Sep 23)
- Re: PHF Attacks - Fun and games for the whole family doug () ENG AUBURN EDU (Sep 25)