Web server security holes ?
Dear All, I am quite concerned about security, and I think my machine is doing well with respect to all usual services as telnet, FTP, etc... Unfortunately I am not very experienced with web servers, and have the standard features of SuSE 6.3 installed (Apache, I think). On two of my machines I got the following log entries in http.acces_log/ error_log - What does it mean ? - Is it dangerous for the machine ? - Can I further secure my machine ? PS: I do NOT need the machine beeing accessible by external machines in HTTP Thank you for explaining these things to me ... 131.155.14.130 - - [19/Mar/2000:07:09:12 +0100] "POST /cgi-bin/perl HTTP/1.0" 404 281 131.155.14.130 - - [19/Mar/2000:07:09:12 +0100] "POST /cgi-bin/phf?Qname=x%0a/bin/sh+-s%0a HTTP/1.0" 404 280 128.175.13.74 - - [19/Mar/2000:17:43:12 +0100] "GET /cgi-bin/counterfiglet/nc/f=;echo;echo%20{_begin-counterfiglet_};uname%20-a;id;w;echo%20{_end-counterfiglet_};echo HTTP/1.0" 404 376 128.175.13.74 - - [20/Mar/2000:03:46:42 +0100] "POST /cgi-bin/test-cgi HTTP/1.0" 200 482 128.175.13.74 - - [20/Mar/2000:06:07:22 +0100] "POST /cgi-bin/phf?Qname=x%0a/bin/sh+-s%0a HTTP/1.0" 404 280 128.175.13.74 - - [20/Mar/2000:07:02:50 +0100] "GET /cgi-bin/aglimpse/80|IFS=_;CMD=_echo\;echo_id-aglimpse\;uname_-a\;id;eval$CMD; HTTP/1.0" 404 346 128.175.13.74 - - [21/Mar/2000:00:50:01 +0100] "POST /cgi-bin/perl HTTP/1.0" 404 281 128.175.13.74 - - [21/Mar/2000:06:33:15 +0100] "POST /cgi-bin/sh HTTP/1.0" 404 279 128.175.13.74 - - [21/Mar/2000:07:17:24 +0100] "GET /cgi-bin/query?x=%3C%21%2D%2D%23%65%78%65%63%20%63%6D%64%3D%22%2F%75%73%72%2F%62%69%6E%2F%69%64%22%2D%2D%3E HTTP/1.0" 404 282 128.175.13.74 - - [21/Mar/2000:08:32:59 +0100] "GET /%3C%21%2D%2D%23%65%78%65%63%20%63%6D%64%3D%22%2F%75%73%72%2F%62%69%6E%2F%69%64%22%2D%2D%3E/index.html HTTP/1.0" 404 316 [Sun Mar 19 17:43:12 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/counterfiglet [Mon Mar 20 06:07:22 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/phf [Mon Mar 20 07:02:50 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/aglimpse [Tue Mar 21 00:50:01 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/perl [Tue Mar 21 06:33:15 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/sh [Tue Mar 21 07:17:24 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/query [Thu Mar 30 22:34:16 2000] [notice] Apache/1.3.9 (Unix) (SuSE/Linux) mod_perl/1.21 PHP/3.0.12 configured -- resuming normal operations [Thu Mar 30 22:34:16 2000] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [ Marc Baaden -- Marc Baaden - Labo MSM (UMR 7551) - http://crypt.u-strasbg.fr/marc mailto:baaden@chimie.u-strasbg.fr - FAX (+49) 89 24 43 1 68 68 ICQ# 11466242 - Tel: (+33) 3 88 41 60 86 or (+33) 6 09 84 32 17
Hello Marc,
- What does it mean ? your Web-Server Logfile seems like a try to test different known exploits by using CGI-Scripts on the victim's server.
- Is it dangerous for the machine ? Normally this is a nice try and there are no risks until you have installed one of there Scripts...
- Can I further secure my machine ? It also looks like that there was no way into your system by using this possible exploit in this way. You can secure it by denying any CGI / PHP Scripts (See /etc/httpd/httpd.conf).
PS: I do NOT need the machine beeing accessible by external machines in HTTP If you don't need your HTTP... just switch it off by editing /etc/rc.config "start_httpd=no" or stop it by typeing /sbin/init.d/apache stop
Greetinx, Oliver Grube --------------------------------------------- --IT-Secure - Mit Sicherheit gute Lösungen.-- --------------------------------------------- Security Support * oliver.grube@it-secure.de +49 2161 6897-180 * http://www.it-secure.de
It seems for me like a bad guy was scanning your web server for vulnerable CGI scripts, but don't panic, he couldn't find nothing. Have a good one. Marc Baaden wrote:
Dear All,
I am quite concerned about security, and I think my machine is doing well with respect to all usual services as telnet, FTP, etc...
Unfortunately I am not very experienced with web servers, and have the standard features of SuSE 6.3 installed (Apache, I think). On two of my machines I got the following log entries in http.acces_log/ error_log
- What does it mean ? - Is it dangerous for the machine ? - Can I further secure my machine ? PS: I do NOT need the machine beeing accessible by external machines in HTTP
Thank you for explaining these things to me ...
131.155.14.130 - - [19/Mar/2000:07:09:12 +0100] "POST /cgi-bin/perl HTTP/1.0" 404 281 131.155.14.130 - - [19/Mar/2000:07:09:12 +0100] "POST /cgi-bin/phf?Qname=x%0a/bin/sh+-s%0a HTTP/1.0" 404 280 128.175.13.74 - - [19/Mar/2000:17:43:12 +0100] "GET /cgi-bin/counterfiglet/nc/f=;echo;echo%20{_begin-counterfiglet_};uname%20-a;id;w;echo%20{_end-counterfiglet_};echo HTTP/1.0" 404 376 128.175.13.74 - - [20/Mar/2000:03:46:42 +0100] "POST /cgi-bin/test-cgi HTTP/1.0" 200 482 128.175.13.74 - - [20/Mar/2000:06:07:22 +0100] "POST /cgi-bin/phf?Qname=x%0a/bin/sh+-s%0a HTTP/1.0" 404 280 128.175.13.74 - - [20/Mar/2000:07:02:50 +0100] "GET /cgi-bin/aglimpse/80|IFS=_;CMD=_echo\;echo_id-aglimpse\;uname_-a\;id;eval$CMD; HTTP/1.0" 404 346 128.175.13.74 - - [21/Mar/2000:00:50:01 +0100] "POST /cgi-bin/perl HTTP/1.0" 404 281 128.175.13.74 - - [21/Mar/2000:06:33:15 +0100] "POST /cgi-bin/sh HTTP/1.0" 404 279 128.175.13.74 - - [21/Mar/2000:07:17:24 +0100] "GET /cgi-bin/query?x=%3C%21%2D%2D%23%65%78%65%63%20%63%6D%64%3D%22%2F%75%73%72%2F%62%69%6E%2F%69%64%22%2D%2D%3E HTTP/1.0" 404 282 128.175.13.74 - - [21/Mar/2000:08:32:59 +0100] "GET /%3C%21%2D%2D%23%65%78%65%63%20%63%6D%64%3D%22%2F%75%73%72%2F%62%69%6E%2F%69%64%22%2D%2D%3E/index.html HTTP/1.0" 404 316
[Sun Mar 19 17:43:12 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/counterfiglet [Mon Mar 20 06:07:22 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/phf [Mon Mar 20 07:02:50 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/aglimpse [Tue Mar 21 00:50:01 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/perl [Tue Mar 21 06:33:15 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/sh [Tue Mar 21 07:17:24 2000] [error] [client 128.175.13.74] script not found or unable to stat: /usr/local/httpd/cgi-bin/query
[Thu Mar 30 22:34:16 2000] [notice] Apache/1.3.9 (Unix) (SuSE/Linux) mod_perl/1.21 PHP/3.0.12 configured -- resuming normal operations [Thu Mar 30 22:34:16 2000] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [
Marc Baaden -- Marc Baaden - Labo MSM (UMR 7551) - http://crypt.u-strasbg.fr/marc mailto:baaden@chimie.u-strasbg.fr - FAX (+49) 89 24 43 1 68 68 ICQ# 11466242 - Tel: (+33) 3 88 41 60 86 or (+33) 6 09 84 32 17
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- Francisco M. Marzoa Alonso Nuevo Mundo - Dpto. Informático ICQ#: 62850923 Henri Dunant, 19 - 28036 Madrid tfno: +34 91 343 18 40 ext. 207 España / Spain fax: +34 91 350 28 45
Oliver Grube wrote:
Hello Marc,
PS: I do NOT need the machine beeing accessible by external machines in HTTP If you don't need your HTTP... just switch it off by editing /etc/rc.config "start_httpd=no" or stop it by typeing /sbin/init.d/apache stop
Sorry, i've read too fast. Think that Marc means that he *NEED* the HTTP server running for *INTERNAL* machines only. So stop apache is not a solution. You can use a firewall, directly using ipchains in example, or ( i didn't try this and i'm not sure if it's factible ), wrap apache with inetd daemon and edit /etc/hosts.allow and/or /etc/hosts.deny to tell your systems the IP addresses that are allowed to access that service. I've wrote a tiny perl script that do, among others, exactly this. It starts masquerading services and some firewalling rules, i've attached it with this message because it's very little, excuse me if a disturb anybody. It is normally called by ip-up (start) and ip-down (stop) scripts from pppd. Have a good one.
Greetinx,
Oliver Grube
--------------------------------------------- --IT-Secure - Mit Sicherheit gute Lösungen.-- --------------------------------------------- Security Support * oliver.grube@it-secure.de +49 2161 6897-180 * http://www.it-secure.de
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- Francisco M. Marzoa Alonso Nuevo Mundo - Dpto. Informático ICQ#: 62850923 Henri Dunant, 19 - 28036 Madrid tfno: +34 91 343 18 40 ext. 207 España / Spain fax: +34 91 350 28 45 #!/usr/bin/perl # Author: Francisco M. Marzoa Alonso # Last update: Mon Jan 17 17:49:04 CET 2000 # # This script starts internet masquerading and firewalling services. # use strict; sub showUsage { my $pName = $0; # This should be changed by a true detection of program invocation name print STDERR "This script starts/stops internet masquerading services.\n\n"; print STDERR "Usage:\n"; print STDERR "$pName start|stop|restart networkdevice localaddress\n\n"; } sub startMasquerading { my $nDevice = shift @_; my $localIP = shift @_; # DONE! : This should be changed in the future by a symbolic value which returns this host IP. system ("logger -t '/etc/ppp/inet.masq' 'Starting masquerading nd=$nDevice'"); # Masquerading system ("/sbin/ipchains -P forward DENY"); system ("/sbin/ipchains -A forward -i $nDevice -j MASQ"); system ("echo 1 > /proc/sys/net/ipv4/ip_forward"); # Bloqueo de conexiones externas a telnet system ("/sbin/ipchains -I input -s! 192.168.66.0/24 -d $localIP/32 telnet -p tcp -j DENY"); # Bloqueo de conexiones externas al web system ("/sbin/ipchains -I input -s! 192.168.66.0/16 -d $localIP/32 www -p tcp -j DENY"); # Bloqueo de conexiones externas a sendmail system ("/sbin/ipchains -I input -s! 192.168.66.0/16 -d $localIP/32 smtp -p tcp -j DENY"); # Bloqueo de conexiones a lpd system ("/sbin/ipchains -I input -s! 192.168.66.0/16 -d $localIP/32 printer -p tcp -j DENY"); # Bloqueo de conexiones al servidor pop system ("/sbin/ipchains -I input -s! 192.168.66.0/16 -d $localIP/32 pop3 -p tcp -j DENY"); # Bloqueo de conexiones al servidor fax # system ("/sbin/ipchains -I input -s! 192.168.66.0/16 -d $localIP/32 hylafax -p tcp -j DENY"); } sub stopMasquerading { my $nDevice = shift @_; # Eliminar los bloqueos system ("/sbin/ipchains -F input"); # Eliminar el masquerading system ("/sbin/ipchains -D forward -i $nDevice -j MASQ"); system ("/sbin/ipchains -P forward ACCEPT"); } my ($action, $networkDevice, $localAddress); $action = $ARGV [0]; $networkDevice = $ARGV [1]; $localAddress = $ARGV [2]; system ( "logger -t '/etc/ppp/inet.masq' 'a = $action, nd = $networkDevice , la = $localAddress'"); if ( (!$action) || (!$networkDevice) || (!$localAddress) ) { showUsage (); } else { if ($action eq 'start') { startMasquerading ($networkDevice, $localAddress); } elsif ($action eq 'stop') { stopMasquerading ($networkDevice); } elsif ($action eq 'restart') { stopMasquerading ($networkDevice); startMasquerading ($networkDevice); } else { showUsage (); } }
Am Mit, 05 Apr 2000 schrieb Francisco M. Marzoa Alonso:
Oliver Grube wrote:
Hello Marc,
PS: I do NOT need the machine beeing accessible by external machines in HTTP If you don't need your HTTP... just switch it off by editing /etc/rc.config "start_httpd=no" or stop it by typeing /sbin/init.d/apache stop
Sorry, i've read too fast.
Think that Marc means that he *NEED* the HTTP server running for *INTERNAL* machines only. So stop apache is not a solution.
maybe let apache bind only to the internal ip. or run it via inetd and let tcpd check if it is a valid ip. -- --- Engelbert Gruber --- SSG Fintl,Gruber,Lassnig A6140 Telfs Untermarkt 9 Tel. ++43-5262-64727 ---
On Wed, 5 Apr 2000, Oliver Grube wrote:
PS: I do NOT need the machine beeing accessible by external machines in HTTP If you don't need your HTTP... just switch it off by editing /etc/rc.config "start_httpd=no" or stop it by typeing /sbin/init.d/apache stop
Well, I think he still needs internal access for SuSE help system etc. So he could specifically deny access to port 80 for all hosts except his own. -- Markus Schaber - http://www.schabi.de/ - ICQ #22042130 Paranoja is just Reality at a higher resolution!
Hello everybody... well, I've read the text from Marc a little bit too fast... Many possible reasons shown so that my absolute statement about shutting down the server could be ignored. Greetings, Oliver Grube --------------------------------------------- --IT-Secure - Mit Sicherheit gute Lösungen.-- --------------------------------------------- Security Support * oliver.grube@it-secure.de +49 2161 6897-180 * http://www.it-secure.de
Markus Schaber wrote:
On Wed, 5 Apr 2000, Oliver Grube wrote:
PS: I do NOT need the machine beeing accessible by external machines in HTTP If you don't need your HTTP... just switch it off by editing /etc/rc.config "start_httpd=no" or stop it by typeing /sbin/init.d/apache stop
Well, I think he still needs internal access for SuSE help system etc. So he could specifically deny access to port 80 for all hosts except his own.
Perhaps you might consider to change your default policy to REJECT and only open those ports to the outside world which you really need. At least this policy works great for me. Regards, Fred Mobach fred at mobach.nl
Hi, If your Webserver is practicaly open to public (like Apache running on the ISDN Router) and you need to deny access to that interface but still want your internal users to see the webserver - you can consider the following: put this in the httpd.conf # # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, in addition to the default. See also the <VirtualHost> # directive. # #Listen 3000 Listen 192.168.80.99:80 This will handle requests directed the www-servers interface (for example using apache as a proxy server) - but will be totally deaf to rest of the world! This should do fine!
editing /etc/rc.config "start_httpd=no" or stop it by typeing /sbin/init.d/apache stop
Well, I think he still needs internal access for SuSE help system etc. So he could specifically deny access to port 80 for all hosts except his own.
LUFA Speyer (EDV) email: becker@lufa-sp.vdlufa.de tel : +49 (0)6232-629542 fax : +49 (0)6232-629544 Die Landwirtschaftliche Untersuchungs- und Forschungsanstalt bietet eine AZUBI Stelle für Fachinformatiker/Fachinformatikerin an: --> http://www.vdlufa.de/speyer/
On Wed, 5 Apr 2000, Stefan Becker wrote:
Hi, If your Webserver is practicaly open to public (like Apache running on the ISDN Router) and you need to deny access to that interface but still want your internal users to see the webserver - you can consider the following:
put this in the httpd.conf # # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, in addition to the default. See also the <VirtualHost> # directive. # #Listen 3000 Listen 192.168.80.99:80
This will handle requests directed the www-servers interface (for example using apache as a proxy server) - but will be totally deaf to rest of the world!
This should do fine!
No, this is actually not right. The Listen directive only specifies which interface/port Apache listens on if a server has multiple IP interfaces or listens on multiple or non-standard ports. It will accept an HTTP request to that interface from anywhere. The correct way to limit where Apache will accept requests from is to use the Allow and Deny directives within a Directory container. For example: To limit Apache to only respond to requests from itself (i.e. help docs on a standalone machine, not served to anyone else) put the following within the default directory container: <Directory /> [yada yada - other default directives] Order deny,allow Deny from all Allow from localhost </Directory> This is the first thing I do with Apache when I install it on a workstation so that people can't try all the exploits against me that the previous poster noted. :) You can also specify IP address subnets, individual IP addresses, hostnames or network names, or use userid/passwords with the Allow command. Take a look at http://www.apache.org/docs-1.2/mod/mod_access.html#allow for help (this is 1.2 docs, so it's outdated), or look at the apache docs that get installed by default (SuSE 6.3 anyway). Hope this helps, John Ritchie
participants (8)
-
engelbert gruber
-
Francisco M. Marzoa Alonso
-
Fred Mobach
-
John Ritchie
-
Marc Baaden
-
Markus Schaber
-
Oliver Grube
-
Stefan Becker