LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-20-2011, 08:59 AM   #46
ZS-
LQ Newbie
 
Registered: Jan 2011
Posts: 21

Original Poster
Rep: Reputation: 7

A lot of that 1024 is Spiders (Wise-Guys.nl take up about 400 lines of that)

But amongst it all are lines such as...

1 186.200.12.15 - - [15/Jan/2011:04:26:01 +0000] "GET /forums/./././././././././viewtopic.php?f=5&p=683&sid=f9e393b9566d418e00000853480ba0a2 HTTP/1.0" 200 13987 "http://dhos.domain.com/forums/./././././././././viewtopic.php?f=5&p=683&sid=f9e393b9566d418e00000853480ba0a2" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 2000) Opera 6.0 [en]"

That looks odd to me, looks like PHPBB URLs but malformed... and I do not see this behaviour on any other PHPBB site hosted on the server. Is it normal do you think, or worth further investigation?
 
Old 01-20-2011, 09:55 AM   #47
120
Member
 
Registered: Oct 2010
Posts: 46

Rep: Reputation: 9
That kinda looks like a directory traversal attack of sorts. What does stand out is it got a 200 for it, suggesting that whatever it was doing was successful. It could be a typical attack that has been 'caught' and served a default page, it could be nefarious. The acid test; what happens if *you* try the same http request by hand?

Last edited by 120; 01-20-2011 at 09:56 AM.
 
Old 01-20-2011, 11:10 AM   #48
Nominal Animal
Senior Member
 
Registered: Dec 2010
Location: Finland
Distribution: Xubuntu, CentOS, LFS
Posts: 1,723
Blog Entries: 3

Rep: Reputation: 947Reputation: 947Reputation: 947Reputation: 947Reputation: 947Reputation: 947Reputation: 947Reputation: 947
Quote:
Originally Posted by ZS- View Post
"GET /forums/./././././././././viewtopic.php?f=5&p=683&sid=f9e393b9566d418e00000853480ba0a2 HTTP/1.0" 200 13987
The /forums/./././././././././viewtopic.php is interpreted as /forums/viewtopic.php because . means "the current directory". Therefore this one at least was inert.

It may be a harmless bug in the viewtopic.php script itself (if a link in the page pointing to the same page adds superfluous ./'s), but I'd say it is more likely somebody trying path tricks directly in a browser (and failing), then clicking the link to the same page once in frustration. In that case there'd also be failed URLs with dot-slash garbage in the error log from the same IP just before this one, but none after in either.

You should check that the /forums/viewtopic.php file is the same as upstream, though.

If the URLs contain any /../, look at them more carefully; that is interpreted as "the parent directory". Usually, a/b/../c is interpreted as a/c but Apache does normally validate the access to each directory along the way - and does check that access to a/b is allowed before allowing a/b/../.

You can pretty much eliminate path-related trickery if you use mod_rewrite and this configuration in each virtual host:
Code:
RewriteEngine on
RewriteRule   ^(.*)\.\.+(.*)$ $1.$2 [E=redirect:y,N]
RewriteRule   ^(.*)//+(.*)$   $1/$2 [E=redirect:y,N]
RewriteRule   ^(.*)\./(.*)$   $1/$2 [E=redirect:y,N]
RewriteRule   ^(.*)/\.(.*)$   $1/$2 [E=redirect:y,N]
# RewriteRule ^(.*/[^/.]+)$   $1/   [E=redirect:y]
RewriteRule   ^([^/].*)$      /$1   [E=redirect:y]
RewriteRule   ^//+(.*)$       /$1   [E=redirect:y]
RewriteCond   %{ENV:redirect} y
RewriteRule   ^(.*)$          $1    [R,L]
This will make sure the requested URL starts with exactly one slash, does not contain a dot and a slash next to each other, nor more than one dot or slash in a row. The commented line appends a slash if the file part does not contain a dot. (It is useful if all files in your web pages have a dot in their filename. Then you can use this instead of DirectorySlash On)
If this changes the request URL at all, the user is redirected to the new URL. Your PHP, Perl and CGI scripts will never receive any of that path trickery.
This only affects the path part of the request URL, not the query or any POST data, so it is not a guaranteed shield; it just makes the typical path attacks always fail.
Nominal Animal

Last edited by Nominal Animal; 03-21-2011 at 06:11 AM.
 
Old 01-30-2011, 07:27 AM   #49
ZS-
LQ Newbie
 
Registered: Jan 2011
Posts: 21

Original Poster
Rep: Reputation: 7
I didn't get much meaningful stuff out of the last command... but I did write a quick script:

Code:
/bin/echo `date`  > /root/trouble.log
/usr/bin/tail -50 /var/log/messages >> /root/trouble.log
/bin/echo  "--------------------------" >> /root/trouble.log
/bin/ps -elf | /bin/grep httpd >> /root/trouble.log
/bin/echo  "--------------------------" >> /root/trouble.log
/usr/bin/w >> /root/trouble.log
/bin/echo  "--------------------------" >> /root/trouble.log
/usr/sbin/lsof | /bin/grep daemon | /bin/grep -v .log | /bin/grep /var/www >> /root/trouble.log
/bin/echo  "--------------------------" >> /root/trouble.log
Then I set it in my cron to run every 30 mins...

Hopefully that will send some debug info to me every half an hour... and if the attack starts again I *should* be able to see which script is running at the time (lsof)

Will update as and when I can

Thanks again for helping guys!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Remote setup of LAMP server on CentOS 5 satimis Linux - Server 19 01-31-2008 11:42 PM
LXer: CentOS 4.6 Server Setup: LAMP, Email, DNS, FTP, ISPConfig LXer Syndicated Linux News 0 01-10-2008 03:40 PM
LXer: CentOS 5.1 Server Setup: LAMP, Email, DNS, FTP, ISPConfig LXer Syndicated Linux News 0 12-06-2007 03:21 PM
LAMP server - which flavour Linux: Fed or CentOS? uncle-c Linux - General 2 06-20-2007 04:10 PM
LXer: Building A Low-Cost LAMP Server For Your Webhosting Business With CentOS 4.3 LXer Syndicated Linux News 0 05-03-2006 02:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration