[Dshield] Re: Unusual log activity - any ideas?

Johannes B. Ullrich jullrich at sans.org
Thu May 2 12:39:03 GMT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> 217.81.xxx.xxx - - [11/Apr/2002:20:35:35 +0000] "GET /cgi-bin/phf?Qalias
> =%0A/bin/cat%20/etc/passwd HTTP/1.0" 404 205 "-" "-"

Hm. didn't realize that this is still used. definitly part of the
'oldies but goodies' category. 

'phf' is a sample cgi script, which came with very early versions
of Apache. Essentially, it was a demo to show how to execute
arbitrary shell commands using cgi.

- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE80TNpwWQP+4im9DYRAihnAJ9sGb9GgsxfzAP+2q9L8H1FihALkQCeMjKx
CyLx5WAN9gzy9jOwC7bggTo=
=qGf0
-----END PGP SIGNATURE-----




More information about the list mailing list