AltaVista followup and monitor script

From: Edward Glowacki (glowack2@KEY-LARGO.CL.MSU.EDU)
Date: Wed Dec 29 1999 - 20:33:22 PST

  • Next message: Dave Dittrich: "Analysis of "stacheldraht"" 

    ---------- Snippet of forwarded message ----------

have a nice Y2K-BUG

rudicarellat_private


other infos:

vulnerable: altavista search intranet 2.??
type: Input Validation Error
object: query?
remote: yes
vendor: altavista .. got informed ~3 month ago)

---------- End snippet ---------

Thanks to rudi for the initial post earlier today.  I was able to verify
the vulnerability in 2.0b and 2.3a (with the patch) on Digital Unix. I
emailed AltaVista tech support shortly after reading the message to
inquire about a patch to fix this hole, hopefully they'll get one out
soon.  At the end of this message is a simple perl script I wrote to watch
the log file and send a short email when someone grabs the mgtstate file.
I can't stop intruders from getting my password, but at least I can have
some idea that my password has escaped.

--
Edward Glowacki				glowack2at_private
MSU AltaVista Administrator		
Network Services
Michigan State University	




#!/bin/perl
#
# Simple perl script to watch your logfile and notify you if someone tries to
# get at mgtstate to grab your AltaVista admin password.  Not elegant, but it
# should work.  It will check the whole log file from the beginning and
# continue to monitor until interrupted (probably just want to put it in
# the background and let it go).  Tested on Digital Unix 4.0D. Use at your
# own risk.
#
# useage:  watch logfile email <identifier>
#   optional identifier to distinguish different servers if needed

$logfile = "";
$email = "";
$identifier = "";

$logfile = $ARGV[0];
shift;
$email = $ARGV[0];
shift;
$identifier = $ARGV[0];
shift;

if($logfile eq "" || $email eq "") {
    print("Need a logfile and email address, i.e.:\n");
    print("  watch httpd/logs/access_log someone\@somewhere.com\n");
    exit(0);
}

open(ACCESS,"/bin/tail -f -c +0 $logfile |") || die "Can't open tail of log file";

while(<ACCESS>) {
    if(/mgtstate/) {
        open(MAIL,"|/bin/mailx -s \"AltaVista intruder: mgtstate access\" $email");
        if($identifier ne "") {
            print(MAIL "Ident: $identifier\n\n");
        }
        print(MAIL "$_");
        close(MAIL);
    }
}

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:24:49 PDT