A total of 1 sites probed the server

Support for security such as Firewalls and securing linux
richard_chapman
Posts: 252
Joined: 2006/09/08 02:54:11

A total of 1 sites probed the server

Post by richard_chapman » 2011/12/20 02:11:57

Hi... I posted to a similar thread - but it was marked as "Solved" - so I thought I should start a new thread. I don't think my problem is as described in the other thread.
From my logwatch every morning for the last month or so I get something like this:

--------------------- httpd Begin ------------------------


A total of 1 sites probed the server
122.155.6.163

A total of 3 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):

/?file=../../../../../../proc/self/environ%00 HTTP Response 200
/?mod=../../../../../../proc/self/environ%00 HTTP Response 200
/?page=../../../../../../proc/self/environ%00 HTTP Response 200
-------------------

Related lines from http acces_log:

122.155.6.163 - - [19/Dec/2011:01:20:09 +0800] "GET /?file=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1104 "-" ""
122.155.6.163 - - [19/Dec/2011:01:20:09 +0800] "GET /?page=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1104 "-" ""
122.155.6.163 - - [19/Dec/2011:01:20:09 +0800] "GET /?mod=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1104 "-" ""
122.155.6.163 - - [19/Dec/2011:01:20:09 +0800] "GET /index.php?option=com_simpledownload&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 404 302 "-" ""

----------------
Can anyone tell me what is going on here - and how I can stop it? I have checked that mod_proxy is still disabled in httpd.conf.
Maybe I have changed something which relaxes security too much, but I haven't touched it for ages.

Thanks.

Richard.

User avatar
AlanBartlett
Forum Moderator
Posts: 9345
Joined: 2007/10/22 11:30:09
Location: ~/Earth/UK/England/Suffolk
Contact:

Re: A total of 1 sites probed the server

Post by AlanBartlett » 2011/12/20 03:06:41

[quote]
Hi... I posted to a similar thread - but it was marked as "Solved" - so I thought I should start a new thread.
[/quote]
An excellent choice, [b]Richard[/b]. ;-) Always start your own thread for your own problems and provide a link to any similar thread, if it looks relevant to your current issue.

The first thing to do is to investigate the probing IP address, [b]122.155.6.163[/b] --

[code]
[ajb@Duo2 ~]$ [b]whois 122.155.6.163[/b]
[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net node-5]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 122.155.0.0 - 122.155.15.255
netname: CAT-IDC-Service
descr: CAT TELECOM Data Comm. Dept, IDC Office
descr: ***send spam abuse to support@idc.cattelecom.com***
country: TH
[i]<snip>[/i]
[/code]
Hmm. [img]http://www.centos.toracat.org/ajb/tmp/hmmm.gif[/img] Does that [b]Thai[/b] company, an ISP, have any dealings with you? If not, it seems (to me) that one of its subscribers has "taken a fancy" to your system as a potential "cracking" target. :-x

That's as far as I can go. Perhaps one of our security minded wizards will now give you some advice.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: A total of 1 sites probed the server

Post by TrevorH » 2011/12/20 03:18:27

If I decode that log entry right, it means you should get a page if you surf to
[code]
http://127.0.0.1/?file=../../../../../../proc/self/environ%00<?php system(\"id\"); ?>
[/code]

If I try that on my system then I get a 403 log line in access_log not the 200 that you got so either I got the URL wrong or your system is returning different results to mine.

A quick google on that request tells me that it's trying to exploit a bug in Joomla - do you have that deployed on this server?

richard_chapman
Posts: 252
Joined: 2006/09/08 02:54:11

Re: A total of 1 sites probed the server

Post by richard_chapman » 2011/12/20 06:16:38

Thanks Alan and Trevor

I doubt that anyone in Thailand has any legitimate interest in my server... though I was there myself a couple of weeks back...:-)

When i browse to:
http://127.0.0.1/?file=../../../../../../proc/self/environ%00%3C?php%20system(\%22id\%22);%20?%3E

I get a blank page - but no error - so I think you are right. Something is too lax on my system.
I don't think I have Joomla installed - though I did install a few weird things when trying to get a package called surftrakr going some time back.

I seem to remember from my days with MS servers - they had settings to stop you trying to browse back past the root of the html document directory. It looks like my apache is letting someone do that - at least for reading - and that seems like something I should be worried about.

Does anyone have any idea what settings I should be looking for here?

Richard.

richard_chapman
Posts: 252
Joined: 2006/09/08 02:54:11

Re: A total of 1 sites probed the server

Post by richard_chapman » 2011/12/20 08:01:48

Actually - I just did something dumb... I used Trevor's URL including the 127.0.0.1 from another machine. When I used the correct IP address - then I got the Apache 2 test page. It sill seems wrong... I would like to see it return "Forbidden" or something.

DaemonProgrammr
Posts: 78
Joined: 2011/12/12 12:49:46

Re: A total of 1 sites probed the server

Post by DaemonProgrammr » 2011/12/20 09:12:29

That could still be worse.

Wondering what the system command 'id' did again, I executed it in a terminal. Turns out it returns some interesting information about the user-account (and privileges) of (in this case) the process running the httpd.

The fact you're getting the Apache default page, means you can sleep better at night, I think.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: A total of 1 sites probed the server

Post by TrevorH » 2011/12/20 13:22:03

Do the log messages from your attempts match the ones from the other day? I too got the Apache default page when I tried but the access_log says it was a 403 not a 200 error code.

richard_chapman
Posts: 252
Joined: 2006/09/08 02:54:11

Re: A total of 1 sites probed the server

Post by richard_chapman » 2011/12/20 15:56:03

Yes. This is interesting - and worrying. Here are lines from access.log. The first 4 are someone else - and the last 3 are me. My Ip is 192.168.0.166. As you say - I get "403" at least on my first line. but he (or she) got 200. Puzzling.


122.155.6.163 - - [19/Dec/2011:01:20:09 +0800] "GET /?file=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1104 "-" ""
122.155.6.163 - - [19/Dec/2011:01:20:09 +0800] "GET /?page=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1104 "-" ""
122.155.6.163 - - [19/Dec/2011:01:20:09 +0800] "GET /?mod=../../../../../../proc/self/environ%00 HTTP/1.1" 200 1104 "-" ""
122.155.6.163 - - [19/Dec/2011:01:20:09 +0800] "GET /index.php?option=com_simpledownload&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 404 302 "-" ""
192.168.0.166 - - [20/Dec/2011:15:58:26 +0800] "GET /?file=../../../../../../proc/self/environ%00%3C?php%20system(\\%22id\\%22);%20?%3E HTTP/1.1" 403 5043 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7"
192.168.0.166 - - [20/Dec/2011:15:58:26 +0800] "GET /icons/apache_pb.gif HTTP/1.1" 200 2326 "http://192.168.0.201/?file=../../../../../../proc/self/environ%00%3C?php%20system(\\%22id\\%22);%20?%3E" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7"
192.168.0.166 - - [20/Dec/2011:15:58:26 +0800] "GET /icons/powered_by_rh.png HTTP/1.1" 200 1213 "http://192.168.0.201/?file=../../../../../../proc/self/environ%00%3C?php%20system(\\%22id\\%22);%20?%3E" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7"

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: A total of 1 sites probed the server

Post by TrevorH » 2011/12/20 17:12:14

Yes, your first attempt was the closest and even that didn't quite match what the attacker used. Yours seems to have url encoded many of the characters in the php command to be run so it didn't get the same results - not sure if that's your safari browser doing that or if it's the server because we didn't get the url right.

hawaiian717
Posts: 184
Joined: 2009/01/30 19:58:25
Location: California

Re: A total of 1 sites probed the server

Post by hawaiian717 » 2011/12/20 20:43:49

I've been seeing similar things the past few days. In my case, the requests for /?file=../../../../../../proc/self/environ%00 and similar succeed as well, but all the user gets is my normal home page. On my server, the home page is a static index.html file, no PHP or anything fancy, so the arguments passed in after the ? in the URL just get ignored.

Oh, and TrevorH, it looks like richard_chapman is using Chrome, not Safari. Chrome is built on WebKit, like Safari, so it uses a similar user agent string.

Post Reply