#!/bin/sh 
#
# Use this CGI script as a replacement for the phf script
# that comes with NCSA httpd.  The version of phf distributed
# with NCSA httpd 1.3 and earlier had a bug in it which would
# allow the Bad Guys to copy your /etc/passwd file.  Since people
# are still trying this, putting this script in your cgi-bin
# (rather than just removing phf) will give you warning that 
# someone has tried to get your password file.  
#
# This script gives the Bad Guys a bogus password file, which
# they can waste their cycles on decrypting  (though it now only
# takes a few minutes on a good Pentium running Linux).  
# 
# (C) Copyright 1997 by Eric Myers <myers@umich.edu>,  7 February 1997
# Department of Physics, University of Michigan, Ann Arbor, MI 
# @(#) $Id: phf,v 1.8 1999/08/05 18:25:51 myers Exp myers $
#######################################################################
# Just the path you need, nothing else

PATH=/usr/local/adm:/usr/local/bin:/usr/bin:/bin:/sbin:/usr/sbin:/bin

###
# BEGIN CONFIGURATION:

# Who to send notices to: (if root, be sure it is forwarded to a human)

EMAIL="root@localhost"

# Where to log activity, aside from e-mail and syslog

LOGFILE=/usr/local/etc/httpd/logs/phf.log

# END CONFIGURATION.
#######################################################################
TMP=/tmp/phf.$$				# temp file to save entry
DATE=`date`

echo Content-type: text/html
echo " "
echo "<HTML><BODY>"

####################
# log EVERY request for cgi-bin/phf with the parameters given
##

echo "`date` $REMOTE_HOST [$REMOTE_ADDR]: "	>>$LOGFILE
echo "       phf?$QUERY_STRING "		>>$LOGFILE

##
# Check for reference to 'passwd'.  If none, just fake no phf.
# Log the attempt to syslog.
##

if [ -z "`echo $QUERY_STRING | grep passwd`" ]; then
   LOGLEVL="Warning"   
   logger -t phf -p auth.${LOGLEVL} -i \
	"probe from $REMOTE_HOST [${REMOTE_ADDR}]" 

   cat <<EOF

   <h1>	404 Not Found </h1>
   <P> The requested URL was not found on this server. <P>
EOF
else

##
# If they mentioned 'passwd', feed them a fake one that they can grind
# their Crack program on for a while.  The passwords spell out a secret
# message (even the salt is the sentiment).
##

   LOGLEVL="ALERT"
   logger -t phf -p auth.${LOGLEVL} -i \
	"Crack attempt from $REMOTE_HOST [${REMOTE_ADDR}]" 

   cat <<EOF

<pre>
root:PIwfWuC0L8jJ6:0:3:SuperUser,,,:/:/sbin/sh
daemon:*:1:5::/:/sbin/sh
bin:*:2:2::/usr/bin:/sbin/sh
sys:*:3:3::/:
adm:*:4:4::/var/adm:/sbin/sh
uucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico
lp:*:9:7::/var/spool/lp:/sbin/sh
nobody:*:-2:60001::/:
sven:SSUHxSb1mzUug:1000:20:Sven Thorson:/home/sven:/sbin/sh
lars:OFFZDZjXxYpMM:1001:20:Lars Swenson:/home/lars:/sbin/sh
thor:FGRpln03BYHlU:1003:20:Thor Anderson:/home/thor:/sbin/sh
anders:UY8A4..324Moc:1004:20:Anders Carlson:/home/anders:/sbin/sh
</pre>

</BODY>
</HTML>

EOF
fi


#####################
# Send e-mail warning of the incident
##

cat <<EOF >$TMP
To: $EMAIL
From: www@$SERVER_NAME
Subject: ${LOGLEVL}: phf: hackers are probing the web server

Someone has probed the web server at $SERVER_NAME, 
attempting to use the 'phf' bug.  

This occured on ${DATE}

The command used was:  phf?${QUERY_STRING}

The request came from $REMOTE_HOST [$REMOTE_ADDR]

Fingering that machine at `date` produces:

`safe_finger @$REMOTE_ADDR`

EOF

############
# Add this host to /etc/hosts.deny if possible, otherwise suggest it
##

if [ -w /etc/hosts.deny ]; then 

  # TODO: test that the host is not already in /etc/hosts.deny first

  echo "# $DATE - phf from $REMOTE_HOST" >>/etc/hosts.deny
  echo "ALL: $REMOTE_ADDR $REMOTE_HOST"  >>/etc/hosts.deny

  cat <<EOF >>$TMP

This host has been added to the /etc/hosts.deny file.

  - The phf script

EOF
else
  cat <<EOF >>$TMP

You may want to add this host to either /etc/hosts.deny or
to /usr/local/etc/httpd/conf/access_conf as you see fit.

  - The phf script

EOF
fi

sendmail $EMAIL < $TMP
/bin/rm -f $TMP 

exit 0