On Fri, Jun 17, 2016, at 09:30 PM, Michael Armbruster wrote:
> Hi Paul, > > assuming the default HTTP port, it was an attack to the port 80. > Furthermore, the cryptic looking signs (%XX, whereas X is 0-9 or A-F), > are url escaped characters. Unescaping them leads to something like this: > > > /cgi-bin/php-cgi?-d+allow_url_include=on+-d+safe_mode=off+- > > d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+- > > d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+- > > d+cgi.redirect_status_env=0+-n > ... > Putting all those bits together, we can conclude that an attacker tried > to access the PHP executable on the CGI path on a webserver and > disabling various security features. The malicious code or data he tried > to send to the server was sent via POST data. Though we cannot see the > post data, so we can only speculate what the attacker tried to do. A > good bet would be to upload a shell to the webserver to gain further > access on the server, but that's only speculation. > Specifically, this looks like https://www.exploit-db.com/exploits/29290/ - server operators take note. GD -- http://www.fastmail.com - Accessible with your email software or over the web _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
