Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 30th November 2010, 21:35
isn isn is offline
Member
 
Join Date: Oct 2009
Posts: 55
Thanks: 6
Thanked 2 Times in 2 Posts
Unhappy Possible httpd server attack, may need to harden ISPCONFIG or apache

I have been experiencing an issue with my httpd server configured to use ISPCONFIG 3

ISPConfig Version: 3.0.2.2

What happens is one of two things.

Either a Joomla site 1.5.15 is being abused or apache is being abused directly.

The result is:

A large number of processes is being opened up transferring Gigabytes of data to IP addresses in China.

I shut the attack down cold by dropping all outbound FTP traffic but still seem to be getting abused. Just now the nasty people are are not achieving their goal. Can't leave outbound ftp shut down forever, Wordpress uses it to take care of automatic updates.

syslog shows:

Nov 27 14:20:21 mercury pure-ftpd: (?@127.125.46.121) [INFO] New connection from 127.125.46.121
Nov 27 14:20:22 mercury pure-ftpd: (?@127.144.46.72) [INFO] New connection from 127.144.46.72
Nov 27 14:20:23 mercury pure-ftpd: (?@127.116.51.101) [INFO] New connection from 127.116.51.101
Nov 27 14:20:25 mercury pure-ftpd: (?@127.146.54.81) [INFO] New connection from 127.146.54.81
Nov 27 14:20:30 mercury pure-ftpd: (?@127.103.51.246) [INFO] New connection from 127.103.51.246
Nov 27 14:20:31 mercury pure-ftpd: (?@127.147.37.9) [INFO] New connection from 127.147.37.9
Nov 27 14:20:33 mercury pure-ftpd: (?@127.104.62.129) [INFO] New connection from 127.104.62.129
Nov 27 14:20:38 mercury pure-ftpd: (?@127.126.47.102) [INFO] New connection from 127.126.47.102
Nov 27 14:20:39 mercury pure-ftpd: (?@127.118.48.76) [INFO] New connection from 127.118.48.76
Nov 27 14:20:42 mercury pure-ftpd: (?@127.116.52.194) [INFO] New connection from 127.116.52.194
Nov 27 14:21:34 mercury pure-ftpd: (?@127.141.84.84) [INFO] New connection from 127.141.84.84

Very interesting is a list of the open apache processes.


apache 1133 1 0 Nov28 ? 00:00:11 ./nt -h 114.113.0.0 16 -u users
-p pass -t 6 -c 20 -o log -d -k -C
apache 1138 1 0 Nov28 ? 00:00:00 ./nt -h 114.118.0.0 16 -u users
-p pass -t 6 -c 20 -o log -d -k -C
apache 1300 1 0 Nov28 ? 00:00:00 ./nt -h 114.128.0.0 16 -u users
-p pass -t 6 -c 20 -o log -d -k -C
apache 1301 1 0 Nov28 ? 00:00:13 ./nt -h 114.129.0.0 16 -u users
-p pass -t 6 -c 20 -o log -d -k -C

That is a sample, but clearly apache is being hammered.

What I'm looking for is some peer to peer detail on the attack, and some recommendations for how to plug the hole.

Joomla is a client application and they are planning an upgrade. Their current login field permits unlimited character and may be vulnerable to sql injection.

I saw some evidence of this in the apache server logs.

173.201.187.118 - - [30/Nov/2010:12:15:13 -0600] "GET //index.php?option=com_ckforms&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 302 - "-" "libwww-perl/5.837"


This is a cut and paste from a site that explains how to sql inject Joomla.

I've actually used this code to block firewall access for the offending users.

Any ideas help?

Plans:
1) Force the customer to upgrade Joomla to 1.5.22. Will this help?
2) Upgrade ISPCONFIG three to most current version. (help, link please).
3) Find a way to harden apache to prevent this abuse.
__________________
isn aka SEP from ITRC forums
Reply With Quote
Sponsored Links
 

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Centos5.4/ISPConfig 3--Virtual site not working MichaelCaditz Installation/Configuration 25 25th March 2011 11:37
SSL don't work please help me walner8080 Installation/Configuration 8 26th September 2010 12:07
ISPConfig3 Mail Warn Errors reason8 General 3 25th November 2009 13:58
Help! Why do I see message about Apache, CPanel & WHM. I don't run cpanel! websissy Installation/Configuration 3 18th November 2008 22:16
The Perfect Setup - Debian Etch (Debian 4.0) some trouble daniel80 HOWTO-Related Questions 26 1st February 2008 16:30


All times are GMT +2. The time now is 16:36.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.