Recently one of our machines was hacked. Im not sure how many people know about this hack, but, any machine that does not have a shadow password facility and has a common CGI program called phf is susceptable to attack.
You can use phf to more/grep the etc/passwd file. The way you can check if youve been hacked is to grep your logs file for phf. A failed attack will look like so; access_log:aksess-gw3-4.ppp.sn.no unknown - [18/Nov/1996:15:10:36 +1100] "GET /cgi-bin/phf?Qname=%0Acat%20/etc/passwd HTTP/1.0" 404 - access_log:aksess-gw3-4.ppp.sn.no unknown - [18/Nov/1996:15:16:04 +1100] "GET /cgi-bin/phf?Qname=%0Acat%20/etc/passwd HTTP/1.0" 404 - A successfull attack will look the same without the 404 - at the end of the entry. just thought you guys would be intrested. Sahua, - mIcHaEl ///\ The Australian Internet Company c-00 ISP par Excellence \ > http://www.electric-rain.net/ (mine) |\_- http://www.aic.net.au/ (not mine) \ / . "On the Plains of Hesitation bleach the bones of countless millions who, at the dawn of victory, sat down to wait and waiting died." -G.W Cecil/Adlai Stevenson. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED]