View Single Post
  #1  
Old 30th November 2010, 21:35
isn isn is offline
Member
 
Join Date: Oct 2009
Posts: 55
Thanks: 6
Thanked 2 Times in 2 Posts
Unhappy Possible httpd server attack, may need to harden ISPCONFIG or apache

I have been experiencing an issue with my httpd server configured to use ISPCONFIG 3

ISPConfig Version: 3.0.2.2

What happens is one of two things.

Either a Joomla site 1.5.15 is being abused or apache is being abused directly.

The result is:

A large number of processes is being opened up transferring Gigabytes of data to IP addresses in China.

I shut the attack down cold by dropping all outbound FTP traffic but still seem to be getting abused. Just now the nasty people are are not achieving their goal. Can't leave outbound ftp shut down forever, Wordpress uses it to take care of automatic updates.

syslog shows:

Nov 27 14:20:21 mercury pure-ftpd: (?@127.125.46.121) [INFO] New connection from 127.125.46.121
Nov 27 14:20:22 mercury pure-ftpd: (?@127.144.46.72) [INFO] New connection from 127.144.46.72
Nov 27 14:20:23 mercury pure-ftpd: (?@127.116.51.101) [INFO] New connection from 127.116.51.101
Nov 27 14:20:25 mercury pure-ftpd: (?@127.146.54.81) [INFO] New connection from 127.146.54.81
Nov 27 14:20:30 mercury pure-ftpd: (?@127.103.51.246) [INFO] New connection from 127.103.51.246
Nov 27 14:20:31 mercury pure-ftpd: (?@127.147.37.9) [INFO] New connection from 127.147.37.9
Nov 27 14:20:33 mercury pure-ftpd: (?@127.104.62.129) [INFO] New connection from 127.104.62.129
Nov 27 14:20:38 mercury pure-ftpd: (?@127.126.47.102) [INFO] New connection from 127.126.47.102
Nov 27 14:20:39 mercury pure-ftpd: (?@127.118.48.76) [INFO] New connection from 127.118.48.76
Nov 27 14:20:42 mercury pure-ftpd: (?@127.116.52.194) [INFO] New connection from 127.116.52.194
Nov 27 14:21:34 mercury pure-ftpd: (?@127.141.84.84) [INFO] New connection from 127.141.84.84

Very interesting is a list of the open apache processes.


apache 1133 1 0 Nov28 ? 00:00:11 ./nt -h 114.113.0.0 16 -u users
-p pass -t 6 -c 20 -o log -d -k -C
apache 1138 1 0 Nov28 ? 00:00:00 ./nt -h 114.118.0.0 16 -u users
-p pass -t 6 -c 20 -o log -d -k -C
apache 1300 1 0 Nov28 ? 00:00:00 ./nt -h 114.128.0.0 16 -u users
-p pass -t 6 -c 20 -o log -d -k -C
apache 1301 1 0 Nov28 ? 00:00:13 ./nt -h 114.129.0.0 16 -u users
-p pass -t 6 -c 20 -o log -d -k -C

That is a sample, but clearly apache is being hammered.

What I'm looking for is some peer to peer detail on the attack, and some recommendations for how to plug the hole.

Joomla is a client application and they are planning an upgrade. Their current login field permits unlimited character and may be vulnerable to sql injection.

I saw some evidence of this in the apache server logs.

173.201.187.118 - - [30/Nov/2010:12:15:13 -0600] "GET //index.php?option=com_ckforms&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 302 - "-" "libwww-perl/5.837"


This is a cut and paste from a site that explains how to sql inject Joomla.

I've actually used this code to block firewall access for the offending users.

Any ideas help?

Plans:
1) Force the customer to upgrade Joomla to 1.5.22. Will this help?
2) Upgrade ISPCONFIG three to most current version. (help, link please).
3) Find a way to harden apache to prevent this abuse.
__________________
isn aka SEP from ITRC forums
Reply With Quote
Sponsored Links