A total of 1 sites probed the server

Support for security such as Firewalls and securing linux
hawaiian717
Posts: 184
Joined: 2009/01/30 19:58:25
Location: California

Re: A total of 1 sites probed the server

Post by hawaiian717 » 2011/12/20 20:43:49

I've been seeing similar things the past few days. In my case, the requests for /?file=../../../../../../proc/self/environ%00 and similar succeed as well, but all the user gets is my normal home page. On my server, the home page is a static index.html file, no PHP or anything fancy, so the arguments passed in after the ? in the URL just get ignored.

Oh, and TrevorH, it looks like richard_chapman is using Chrome, not Safari. Chrome is built on WebKit, like Safari, so it uses a similar user agent string.

richard_chapman
Posts: 252
Joined: 2006/09/08 02:54:11

Re: A total of 1 sites probed the server

Post by richard_chapman » 2011/12/21 08:41:12

OK.Here is a bit more information. The following 4 lines from access.log seem to result from one attempt to use Trevor's URL using Chrome - and one attempt to use the same url using firefox. I think the first 2 lines are due to a single attempt from Chrome - and the latter 2 lines from a single attempt using firefox. If I read them correctly - chrome got a "403" and Firefox got a "200" - but both displayed the apache default page. It appears that teh hackers are using something more like firefox - but with a bit of luck - al they are seeing is the apache default page - which probably wont heklp them much....


192.168.0.166 - - [21/Dec/2011:16:29:51 +0800] "GET /?file=../../../../../../proc/self/environ%00%3C?php%20system(\\%22id\\%22);%20?%3E HTTP/1.1" 403 5043 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7"
192.168.0.166 - - [21/Dec/2011:16:32:23 +0800] "GET /?file=../../../../../../proc/self/environ%00%3C?php%20system(\\%22id\\%22);%20?%3E HTTP/1.1" 403 5043 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
192.168.0.166 - - [21/Dec/2011:16:32:23 +0800] "GET /icons/apache_pb.gif HTTP/1.1" 200 2326 "http://192.168.0.201/?file=../../../../../../proc/self/environ%00%3C?php%20system(\\%22id\\%22);%20?%3E" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
192.168.0.166 - - [21/Dec/2011:16:32:23 +0800] "GET /icons/powered_by_rh.png HTTP/1.1" 200 1213 "http://192.168.0.201/?file=../../../../../../proc/self/environ%00%3C?php%20system(\\%22id\\%22);%20?%3E" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"

lolosland
Posts: 1
Joined: 2011/12/21 08:19:06
Contact:

Re: A total of 1 sites probed the server

Post by lolosland » 2011/12/21 08:47:47

Hi,

your case looks a lot like the spreading attacks on the net that have started this last months.
Almost every server will have this kind of logs,

their purpose is to get in, upload the script that has the possibility to control your server (and upload those ugly one site pages hacked by blablabla).
This holes are mostly found in poorly joomla coded components, outdated joomla, and other cms's.
Also great interest got the phpAlbum and WordPress Timthumb.

I suggest if you have joomla to start upgrading everything to the last version, anything you dont have
delete it.
Upgrade to the last version every script you have.

!!!!The next steps should be done only if you know what you are doing.!!!!

Here you have 2 options
- http://www.modsecurity.org/
- G5 htaccess firewall (google it)

these steps vary on the kind of server you have, if you are on shared ones trie first the G5
(attention the best practice for this one is to read you logs and alter the htaccess to protect your sites)
beside the ones that are in the G5.

Hope this info spares some days of backing up data files and restoring them due to attacks.
Namaste :)

DaemonProgrammr
Posts: 78
Joined: 2011/12/12 12:49:46

Re: A total of 1 sites probed the server

Post by DaemonProgrammr » 2011/12/22 09:26:30

Concerning the Apache default page vs. 403 - Forbidden page.

This is a stretch but it wouldn't suprise me:
Pages like '404' and '403' are in fact pages on the server right? Apache sends them in case you do something wrong.

When you have no index.htm / php in your root directory, by default you see the Apache default page. This probably because Apache realises there's nothing to show, so it might just as well show the fact it's an apache machine. (error 'gracefully'.)

My guess: the route to the file that request is trying to make fails, the apache realises it's a '403 - forbidden', tries to show so but fails because it's thrown off course by the backstep. It then has no files to show and shows the default Apache page.



All in all not the worst scenario one can think of.

richard_chapman
Posts: 252
Joined: 2006/09/08 02:54:11

Re: A total of 1 sites probed the server

Post by richard_chapman » 2011/12/23 04:18:52

The logwatch messages seem to have stopped in the last couple of days - on two servers.
I guess the hacker(s) must have given up at least in the short term.

Post Reply