From: Colin G. <col...@ma...> - 2014-08-14 20:01:59
|
Hi again, I am seeing a few (2 or 3 IPs in the last few days) that present the following kind of entry in my apache access_log: POST /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+% 73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%6 6%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66 %69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64% 69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E This decodes to: -d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n I see that (some of them) try php5, php4, php.cgi, etc. - with the same 'parameters'. What are they trying to do? What can I do about it? Regards Colin G |
From: Sacks, C. <cai...@se...> - 2014-08-14 21:23:38
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 This is a php suhosin exploit. Basically, it is checking for a particular vulnerable script running on a vulnerable php install, and attempting to disable some of the built in security features to launch further exploits. I can send you more technical info sometime on Monday when I get back to my desk, but basically, ban the guy... If you don't use this script or folder, then a good ban regex is to match on "/cgi-bin/". Happy days On 14 August 2014 22:01:24 SAST, Colin Goldberg <col...@ma...> wrote: >Hi again, > >I am seeing a few (2 or 3 IPs in the last few days) that present the >following kind of entry in my apache access_log: > >POST >/cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+% >73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%6 >6%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66 >%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64% >69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E > >This decodes to: >-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d >disable_functions="" -d open_basedir=none -d >auto_prepend_file=php://input -d cgi.force_redirect=0 -d >cgi.redirect_status_env=0 -n > >I see that (some of them) try php5, php4, php.cgi, etc. - with the same > >'parameters'. > >What are they trying to do? What can I do about it? > >Regards > >Colin G > > > >------------------------------------------------------------------------------ >_______________________________________________ >Fail2ban-users mailing list >Fai...@li... >https://lists.sourceforge.net/lists/listinfo/fail2ban-users - -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -----BEGIN PGP SIGNATURE----- Version: APG v1.1.1 iHYEAREKADYFAlPtKLovHFNhY2tzLCBDYWlsYW4gPGNhaWxhbi5zYWNrc0BzZWN1 cmltZXRlci5jby56YT4ACgkQ1sN6L2aDmAB/MwCeNlU+tfIwBlVNFIUIJjBUdMmh ZHEAn1r4l4EM8frHP8R2YPRDaPsoOUgV =x3Y+ -----END PGP SIGNATURE----- |
From: Charles B. <cha...@nt...> - 2014-08-15 09:33:46
|
Hi, There are hundreds, possibly thousands, of php exploits! They are impossible to block with fail2ban except in a few specific cases. Two solutions: 1 - Don't run php - don't allow untrusted users to run arbitrary php. 2 - Make sure any php is regularly audited. On Thu, 2014-08-14 at 16:01 -0400, Colin Goldberg wrote: > Hi again, > > I am seeing a few (2 or 3 IPs in the last few days) that present the > following kind of entry in my apache access_log: > > POST > /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+% > 73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%6 > 6%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66 > %69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64% > 69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E > > This decodes to: > -d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d > disable_functions="" -d open_basedir=none -d > auto_prepend_file=php://input -d cgi.force_redirect=0 -d > cgi.redirect_status_env=0 -n > > I see that (some of them) try php5, php4, php.cgi, etc. - with the same > 'parameters'. > > What are they trying to do? What can I do about it? > > Regards > > Colin G > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Colin G. <col...@ma...> - 2014-08-15 13:24:27
|
So from this it appears I should filter on /php (and also on cgi-bin, as I don't use this). Does this sound like a reasonable thing to do? Any gotchas if I do this? On 8/15/14, 5:33 AM, Charles Bradshaw wrote: > Hi, > > There are hundreds, possibly thousands, of php exploits! They are > impossible to block with fail2ban except in a few specific cases. > > Two solutions: > 1 - Don't run php - don't allow untrusted users to run arbitrary php. > 2 - Make sure any php is regularly audited. > > > On Thu, 2014-08-14 at 16:01 -0400, Colin Goldberg wrote: >> Hi again, >> >> I am seeing a few (2 or 3 IPs in the last few days) that present the >> following kind of entry in my apache access_log: >> >> POST >> /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+% >> 73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%6 >> 6%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66 >> %69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64% >> 69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E >> >> This decodes to: >> -d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d >> disable_functions="" -d open_basedir=none -d >> auto_prepend_file=php://input -d cgi.force_redirect=0 -d >> cgi.redirect_status_env=0 -n >> >> I see that (some of them) try php5, php4, php.cgi, etc. - with the same >> 'parameters'. >> >> What are they trying to do? What can I do about it? >> >> Regards >> >> Colin G >> >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Sacks, C. <cai...@se...> - 2014-08-15 13:59:20
|
If your not using PHP, then filter on "php". So you pick up ".php" etc. Basically, you should be able to white list pages that you know, and ban everything else. -----Original Message----- From: "Colin Goldberg" <col...@ma...> Sent: 2014-08-15 03:28 PM To: "fai...@li..." <fai...@li...> Subject: Re: [Fail2ban-users] What are these attackers trying to do? So from this it appears I should filter on /php (and also on cgi-bin, as I don't use this). Does this sound like a reasonable thing to do? Any gotchas if I do this? On 8/15/14, 5:33 AM, Charles Bradshaw wrote: > Hi, > > There are hundreds, possibly thousands, of php exploits! They are > impossible to block with fail2ban except in a few specific cases. > > Two solutions: > 1 - Don't run php - don't allow untrusted users to run arbitrary php. > 2 - Make sure any php is regularly audited. > > > On Thu, 2014-08-14 at 16:01 -0400, Colin Goldberg wrote: >> Hi again, >> >> I am seeing a few (2 or 3 IPs in the last few days) that present the >> following kind of entry in my apache access_log: >> >> POST >> /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+% >> 73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%6 >> 6%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66 >> %69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64% >> 69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E >> >> This decodes to: >> -d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d >> disable_functions="" -d open_basedir=none -d >> auto_prepend_file=php://input -d cgi.force_redirect=0 -d >> cgi.redirect_status_env=0 -n >> >> I see that (some of them) try php5, php4, php.cgi, etc. - with the same >> 'parameters'. >> >> What are they trying to do? What can I do about it? >> >> Regards >> >> Colin G >> >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list Fai...@li... https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Colin G. <col...@ma...> - 2014-08-15 14:06:39
|
I am using php. That's why I thought to filter on '/php', because that's different from '.php'. But am I missing anything? Colin On 8/15/14, 9:59 AM, Sacks, Cailan wrote: > If your not using PHP, then filter on "php". So you pick up ".php" > etc. Basically, you should be able to white list pages that you know, > and ban everything else. > ------------------------------------------------------------------------ > From: Colin Goldberg <mailto:col...@ma...> > Sent: 2014-08-15 03:28 PM > To: fai...@li... > <mailto:fai...@li...> > Subject: Re: [Fail2ban-users] What are these attackers trying to do? > > So from this it appears I should filter on /php (and also on cgi-bin, as > I don't use this). > > Does this sound like a reasonable thing to do? Any gotchas if I do this? > > On 8/15/14, 5:33 AM, Charles Bradshaw wrote: > > Hi, > > > > There are hundreds, possibly thousands, of php exploits! They are > > impossible to block with fail2ban except in a few specific cases. > > > > Two solutions: > > 1 - Don't run php - don't allow untrusted users to run arbitrary php. > > 2 - Make sure any php is regularly audited. > > > > > > On Thu, 2014-08-14 at 16:01 -0400, Colin Goldberg wrote: > >> Hi again, > >> > >> I am seeing a few (2 or 3 IPs in the last few days) that present the > >> following kind of entry in my apache access_log: > >> > >> POST > >> > /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+% > >> > 73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%6 > >> > 6%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66 > >> > %69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64% > >> 69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E > >> > >> This decodes to: > >> -d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d > >> disable_functions="" -d open_basedir=none -d > >> auto_prepend_file=php://input -d cgi.force_redirect=0 -d > >> cgi.redirect_status_env=0 -n > >> > >> I see that (some of them) try php5, php4, php.cgi, etc. - with the same > >> 'parameters'. > >> > >> What are they trying to do? What can I do about it? > >> > >> Regards > >> > >> Colin G > >> > >> > >> > >> > ------------------------------------------------------------------------------ > >> _______________________________________________ > >> Fail2ban-users mailing list > >> Fai...@li... > >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Bill C. <bil...@gr...> - 2014-08-28 01:40:30
|
Are you sure you don't have (and will never have) URLs which include /php* anywhere in them? If you can guarantee you don't/won't, go ahead. Otherwise, expect to ban some users hitting known good URLs. On 8/15/14 9:06 AM, Colin Goldberg wrote: > I am using php. That's why I thought to filter on '/php', because > that's different from '.php'. But am I missing anything? > > Colin > > On 8/15/14, 9:59 AM, Sacks, Cailan wrote: >> If your not using PHP, then filter on "php". So you pick up ".php" >> etc. Basically, you should be able to white list pages that you know, >> and ban everything else. >> ------------------------------------------------------------------------ >> From: Colin Goldberg <mailto:col...@ma...> >> Sent: ?2014-?08-?15 03:28 PM >> To: fai...@li... >> <mailto:fai...@li...> >> Subject: Re: [Fail2ban-users] What are these attackers trying to do? >> >> So from this it appears I should filter on /php (and also on cgi-bin, as >> I don't use this). >> >> Does this sound like a reasonable thing to do? Any gotchas if I do this? >> >> On 8/15/14, 5:33 AM, Charles Bradshaw wrote: >> > Hi, >> > >> > There are hundreds, possibly thousands, of php exploits! They are >> > impossible to block with fail2ban except in a few specific cases. >> > >> > Two solutions: >> > 1 - Don't run php - don't allow untrusted users to run arbitrary php. >> > 2 - Make sure any php is regularly audited. >> > >> > >> > On Thu, 2014-08-14 at 16:01 -0400, Colin Goldberg wrote: >> >> Hi again, >> >> >> >> I am seeing a few (2 or 3 IPs in the last few days) that present the >> >> following kind of entry in my apache access_log: >> >> >> >> POST >> >> >> /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+% >> >> >> 73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%6 >> >> >> 6%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66 >> >> >> %69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64% >> >> 69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E >> >> >> >> This decodes to: >> >> -d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d >> >> disable_functions="" -d open_basedir=none -d >> >> auto_prepend_file=php://input -d cgi.force_redirect=0 -d >> >> cgi.redirect_status_env=0 -n >> >> >> >> I see that (some of them) try php5, php4, php.cgi, etc. - with the >> same >> >> 'parameters'. >> >> >> >> What are they trying to do? What can I do about it? >> >> >> >> Regards >> >> >> >> Colin G >> >> >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> >> Fail2ban-users mailing list >> >> Fai...@li... >> >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> > >> > >> > >> ------------------------------------------------------------------------------ >> > _______________________________________________ >> > Fail2ban-users mailing list >> > Fai...@li... >> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > ------------------------------------------------------------------------------ > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |