Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999-q4

Bugtraq Archives: AltaVista followup and monitor script

AltaVista followup and monitor script

Subject: AltaVista followup and monitor script
From: Edward Glowacki (glowack2KEY-LARGO.CL.MSU.EDU)
Date: Wed Dec 29 1999 - 22:33:22 CST

Next message: Ussr Labs: "Local / Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP Server v2.5 for Win9x/NT"
Previous message: Chip Salzenberg: "Re: majordomo local exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---------- Snippet of forwarded message ----------

have a nice Y2K-BUG

rudicarellhotmail.com

other infos:

vulnerable: altavista search intranet 2.??
type: Input Validation Error
object: query?
remote: yes
vendor: altavista .. got informed ~3 month ago)

---------- End snippet ---------

Thanks to rudi for the initial post earlier today. I was able to verify
the vulnerability in 2.0b and 2.3a (with the patch) on Digital Unix. I
emailed AltaVista tech support shortly after reading the message to
inquire about a patch to fix this hole, hopefully they'll get one out
soon. At the end of this message is a simple perl script I wrote to watch
the log file and send a short email when someone grabs the mgtstate file.
I can't stop intruders from getting my password, but at least I can have
some idea that my password has escaped.

--
Edward Glowacki				glowack2msu.edu
MSU AltaVista Administrator		
Network Services
Michigan State University	
#!/bin/perl
#
# Simple perl script to watch your logfile and notify you if someone tries to
# get at mgtstate to grab your AltaVista admin password.  Not elegant, but it
# should work.  It will check the whole log file from the beginning and
# continue to monitor until interrupted (probably just want to put it in
# the background and let it go).  Tested on Digital Unix 4.0D. Use at your
# own risk.
#
# useage:  watch logfile email <identifier>
#   optional identifier to distinguish different servers if needed
$logfile = "";
$email = "";
$identifier = "";
$logfile = $ARGV[0];
shift;
$email = $ARGV[0];
shift;
$identifier = $ARGV[0];
shift;
if($logfile eq "" || $email eq "") {
    print("Need a logfile and email address, i.e.:\n");
    print("  watch httpd/logs/access_log someone\somewhere.com\n");
    exit(0);
}
open(ACCESS,"/bin/tail -f -c +0 $logfile |") || die "Can't open tail of log file";
while(<ACCESS>) {
    if(/mgtstate/) {
        open(MAIL,"|/bin/mailx -s \"AltaVista intruder: mgtstate access\" $email");
        if($identifier ne "") {
            print(MAIL "Ident: $identifier\n\n");
        }
        print(MAIL "$_");
        close(MAIL);
    }
}

Next message: Ussr Labs: "Local / Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP Server v2.5 for Win9x/NT"
Previous message: Chip Salzenberg: "Re: majordomo local exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Thu Dec 30 1999 - 13:25:43 CST