Bugtraq mailing list archives

AltaVista followup and monitor script

From: glowack2 () KEY-LARGO CL MSU EDU (Edward Glowacki)
Date: Wed, 29 Dec 1999 23:33:22 -0500


---------- Snippet of forwarded message ----------

have a nice Y2K-BUG

rudicarell () hotmail com

other infos:

vulnerable: altavista search intranet 2.??
type: Input Validation Error
object: query?
remote: yes
vendor: altavista .. got informed ~3 month ago)

---------- End snippet ---------

Thanks to rudi for the initial post earlier today.  I was able to verify
the vulnerability in 2.0b and 2.3a (with the patch) on Digital Unix. I
emailed AltaVista tech support shortly after reading the message to
inquire about a patch to fix this hole, hopefully they'll get one out
soon.  At the end of this message is a simple perl script I wrote to watch
the log file and send a short email when someone grabs the mgtstate file.
I can't stop intruders from getting my password, but at least I can have
some idea that my password has escaped.

--
Edward Glowacki                         glowack2 () msu edu
MSU AltaVista Administrator             
Network Services
Michigan State University       

#!/bin/perl
#
# Simple perl script to watch your logfile and notify you if someone tries to
# get at mgtstate to grab your AltaVista admin password.  Not elegant, but it
# should work.  It will check the whole log file from the beginning and
# continue to monitor until interrupted (probably just want to put it in
# the background and let it go).  Tested on Digital Unix 4.0D. Use at your
# own risk.
#
# useage:  watch logfile email <identifier>
#   optional identifier to distinguish different servers if needed

$logfile = "";
$email = "";
$identifier = "";

$logfile = $ARGV[0];
shift;
$email = $ARGV[0];
shift;
$identifier = $ARGV[0];
shift;

if($logfile eq "" || $email eq "") {
    print("Need a logfile and email address, i.e.:\n");
    print("  watch httpd/logs/access_log someone\@somewhere.com\n");
    exit(0);
}

open(ACCESS,"/bin/tail -f -c +0 $logfile |") || die "Can't open tail of log file";

while(<ACCESS>) {
    if(/mgtstate/) {
        open(MAIL,"|/bin/mailx -s \"AltaVista intruder: mgtstate access\" $email");
        if($identifier ne "") {
            print(MAIL "Ident: $identifier\n\n");
        }
        print(MAIL "$_");
        close(MAIL);
    }
}

Current thread:

Re: majordomo local exploit Henrik Edlund (Dec 29)
- Re: majordomo local exploit Jefferson Ogata (Dec 29)
- AltaVista followup and monitor script Edward Glowacki (Dec 29)
- Re: majordomo local exploit Chip Salzenberg (Dec 29)
- UnixWare rtpm exploit + discussion Brock Tellier (Dec 30)
- Local / Remote GET Buffer Overflow Vulnerability in CamShot WebCam HTTP Server v2.5 for Win9x/NT Ussr Labs (Dec 30)
- PC-Cillin 6.x DoS Attack Daniel P. Stasinski (Dec 30)
- Analysis of "stacheldraht" Dave Dittrich (Dec 30)
  - Re: Analysis of "stacheldraht" Jordan Ritter (Dec 31)
    - Re: Analysis of "stacheldraht" Dave Dittrich (Dec 31)