LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-02-2009, 05:59 AM   #16
voltron81
LQ Newbie
 
Registered: Sep 2009
Posts: 22

Rep: Reputation: 15

Hi unSpawn,
this morning, reading the /var/log/httpd/access_log and error_log I think I discover what's happened.
Have a look please:
Code:
file: /var/log/httpd/error_log


[Fri Sep 25 18:04:06 2009] [error] [client 62.140.22.106] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Fri Sep 25 19:57:56 2009] [error] [client 61.160.212.242] Directory index forbidden by Options directive: /var/www/html/
[Fri Sep 25 20:10:34 2009] [error] [client 87.98.136.101] File does not exist: /var/www/html/rc
[Fri Sep 25 20:10:34 2009] [error] [client 87.98.136.101] File does not exist: /var/www/html/mss2
[Fri Sep 25 20:10:34 2009] [error] [client 87.98.136.101] File does not exist: /var/www/html/mail
[Fri Sep 25 20:10:34 2009] [error] [client 87.98.136.101] File does not exist: /var/www/html/roundcubemail
[Fri Sep 25 20:10:34 2009] [error] [client 87.98.136.101] File does not exist: /var/www/html/rms
[Fri Sep 25 20:10:35 2009] [error] [client 87.98.136.101] File does not exist: /var/www/html/webmail2
--20:10:42--  http://www.freewebtown.com/ratp/dc.txt
Resolving www.freewebtown.com... 208.75.230.43
Connecting to www.freewebtown.com|208.75.230.43|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1831 (1.8K) [text/plain]
Saving to: `dc.txt'

     0K .                                                     100% 13.9M=0s

20:10:43 (13.9 MB/s) - `dc.txt' saved [1831/1831]

[Sat Sep 26 23:55:42 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Sep 26 23:55:42 2009] [notice] Digest: generating secret for digest authentication ...
[Sat Sep 26 23:55:42 2009] [notice] Digest: done
[Sat Sep 26 23:55:44 2009] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
[Sun Sep 27 11:45:49 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Sep 27 11:45:49 2009] [notice] Digest: generating secret for digest authentication ...
[Sun Sep 27 11:45:49 2009] [notice] Digest: done
[Sun Sep 27 11:45:51 2009] [notice] Apache/2.2.3 (Red Hat) configured -- resuming normal operations
Code:
file: /var/log/httpd/access_log


62.140.22.106 - - [25/Sep/2009:18:04:06 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 

400 324 "-" "-"
61.160.212.242 - - [25/Sep/2009:19:57:56 +0100] "GET http://202.108.33.62/ HTTP/1.1" 403 5043 

"-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)"
87.98.136.101 - - [25/Sep/2009:20:10:34 +0100] "POST /rc/bin/html2text.php\r HTTP/1.0" 404 297 

"-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)"
87.98.136.101 - - [25/Sep/2009:20:10:34 +0100] "POST /mss2/bin/html2text.php\r HTTP/1.0" 404 

299 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)"
87.98.136.101 - - [25/Sep/2009:20:10:34 +0100] "POST /mail/bin/html2text.php\r HTTP/1.0" 404 

299 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)"
87.98.136.101 - - [25/Sep/2009:20:10:34 +0100] "POST /roundcubemail/bin/html2text.php\r 

HTTP/1.0" 404 308 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)"
87.98.136.101 - - [25/Sep/2009:20:10:34 +0100] "POST /roundcube/bin/html2text.php\r HTTP/1.0" 

403 29 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)"
87.98.136.101 - - [25/Sep/2009:20:10:34 +0100] "POST /rms/bin/html2text.php\r HTTP/1.0" 404 

298 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)"
87.98.136.101 - - [25/Sep/2009:20:10:35 +0100] "POST /webmail2/bin/html2text.php\r HTTP/1.0" 

404 303 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)"
87.98.136.101 - - [25/Sep/2009:20:10:35 +0100] "POST /webmail/bin/html2text.php\r HTTP/1.0" 

200 123 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2)"
It's look like this French guy was scanning the apache folder and I think he entered via /var/www/html/webmail, that is where I've installed the old version of roundcube (I was wrong, this version of roundcube was v.0.1-rc1 instead of v.2).
So there was a bug in this old version of roundcube, but I think there was also a not correct configuration of apache/PHP, because this guy entered into the system and downloaded a script without problem...

What do you think?
Thanks
Michele
 
Old 10-03-2009, 08:16 AM   #17
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by voltron81 View Post
this morning, reading the /var/log/httpd/access_log and error_log I think I discover what's happened.
Code:
Length: 1831 (1.8K) [text/plain]
Saving to: `dc.txt'

     0K .                                                     100% 13.9M=0s

20:10:43 (13.9 MB/s) - `dc.txt' saved [1831/1831]
This is plain 'wget' output showing file upload allowing the cracker shell access under the UID the webserver runs as. Having tool output in webserver access or error logs is never good. (http://www.linuxquestions.org/blog/u...-malarky-2308/)


Quote:
Originally Posted by voltron81 View Post
It's look like this French guy was scanning the apache folder and I think he entered via /var/www/html/webmail, that is where I've installed the old version of roundcube (I was wrong, this version of roundcube was v.0.1-rc1 instead of v.2). So there was a bug in this old version of roundcube, but I think there was also a not correct configuration of apache/PHP, because this guy entered into the system and downloaded a script without problem...
- This is not an issue with the webserver itself unless you mean configuring access restrictions and mod_security, mod_evasive.
- Part of the flaw may be with certain versions of PHP itself (see the links posted previously) and configuration (in terms of allowing remote URI's to be opened).
- Part of the flaw is with the web application.
That said the most obvious mistakes almost always are human ones: installing vulnerable software versions, not updating, no restrictions, not reading logs. Don't take this as criticism you should try and defend against but instead as an impulse to improve things.
 
Old 10-15-2009, 07:07 AM   #18
Fredde87
Member
 
Registered: Aug 2005
Posts: 158

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by unSpawn View Post
This is plain 'wget' output showing file upload allowing the cracker shell access under the UID the webserver runs as. Having tool output in webserver access or error logs is never good. (http://www.linuxquestions.org/blog/u...-malarky-2308/)



- This is not an issue with the webserver itself unless you mean configuring access restrictions and mod_security, mod_evasive.
- Part of the flaw may be with certain versions of PHP itself (see the links posted previously) and configuration (in terms of allowing remote URI's to be opened).
- Part of the flaw is with the web application.
That said the most obvious mistakes almost always are human ones: installing vulnerable software versions, not updating, no restrictions, not reading logs. Don't take this as criticism you should try and defend against but instead as an impulse to improve things.
Hi unSpawn, sorry for the delay in getting back to you. This one had to be put on hold for a little while whilst other things came up.

I believe my colleague does mean it is a issue with the web server as it is not setup correctly. I guess I am guilty of assuming that by default php scripts or any other script in apache are not allowed to run system tools like wget. I would have assumed that apache runs in a chroot environment of some sort.

I will look into proper restrictions in apache and make sure this does not happen again.

Thank you very much for your help. Are you involved in any open source projects which accept donations?
 
Old 10-15-2009, 11:48 AM   #19
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by Fredde87 View Post
I will look into proper restrictions in apache(..)
Roundcube related problems that are part of a problematic PHP setup should be dealt with by upgrading and hardening (php.ini, Suhosin?) PHP. Roundcube vulns themselves could be dealt with by updating when updates are released. Tool abuse can be combatted by using the right mod_security rules (, a new SELinux policy may use this to allow for constraining web application stack applications further, and) other malarky can be detected by regularly reading (Logwatch) reports. In and outbound traffic can be filtered for and limited ("-m recent"?). What I'm saying is that it's not just an Apache thing...


Quote:
Originally Posted by Fredde87 View Post
Thank you very much for your help. Are you involved in any open source projects which accept donations?
You're welcome. By asking questions you receive help free of cost. This Q&A will also benefit future LQ readers. You're more than welcome to stay at LQ and share your own knowledge to help others. In terms of reciprosity (as I perceive it) that'll do.

I do some OSS, the main focus being Rootkit Hunter (we're close to release 1.3.6). RKH does accept donations in the form of: helping out others on the rkhunter-users mailing list, venting ideas, sending in patches, adding tickets to our bug tracker, translations, documentation and such.
If that's not your thing and you would like to express your gratitude in cash I'd very much appreciate if you would like to apply for a LQ membership here: http://www.linuxquestions.org/linux/member.html or a donation here: http://www.linuxquestions.org/linux/donation.html but that's entirely your choice and NP if you don't want to, OK?

Last edited by unSpawn; 10-15-2009 at 03:53 PM. Reason: //more *is* more...
 
Old 10-16-2009, 09:12 AM   #20
Fredde87
Member
 
Registered: Aug 2005
Posts: 158

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by unSpawn View Post
Roundcube related problems that are part of a problematic PHP setup should be dealt with by upgrading and hardening (php.ini, Suhosin?) PHP. Roundcube vulns themselves could be dealt with by updating when updates are released. Tool abuse can be combatted by using the right mod_security rules (, a new SELinux policy may use this to allow for constraining web application stack applications further, and) other malarky can be detected by regularly reading (Logwatch) reports. In and outbound traffic can be filtered for and limited ("-m recent"?). What I'm saying is that it's not just an Apache thing...



You're welcome. By asking questions you receive help free of cost. This Q&A will also benefit future LQ readers. You're more than welcome to stay at LQ and share your own knowledge to help others. In terms of reciprosity (as I perceive it) that'll do.

I do some OSS, the main focus being Rootkit Hunter (we're close to release 1.3.6). RKH does accept donations in the form of: helping out others on the rkhunter-users mailing list, venting ideas, sending in patches, adding tickets to our bug tracker, translations, documentation and such.
If that's not your thing and you would like to express your gratitude in cash I'd very much appreciate if you would like to apply for a LQ membership here: http://www.linuxquestions.org/linux/member.html or a donation here: http://www.linuxquestions.org/linux/donation.html but that's entirely your choice and NP if you don't want to, OK?
Thanks again, will look into them.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Breach in Sendmail Security? bper Linux - Security 2 08-02-2005 06:40 PM
[Security Questions] Last Login, how good is this feature for security breach info? t3gah Linux - Security 2 06-14-2005 02:02 AM
Network Security Breach nbjayme Linux - Security 0 03-17-2004 07:49 PM
HTTP access_log: security breach? lhoff Linux - Security 3 02-16-2002 12:10 PM
Security breach? lhoff Linux - Security 5 02-15-2002 02:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration