Skip to main content

[Apache AccessLog] %2f..%2f..%2f..%2fetc%2fhttpd%2flogs%2ferror.log



Recently reviewed the Apache Accesslog for one of the sites I'm handling.

Got a bunch of entries in my access log that looks like these
54.208.35.151 - - [27/Nov/2013:13:27:58 +0800] "GET /wp-content/plugins/theia-post-slider/js/balupton-history.js/history.js?ver=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fhttpd%2flogs%2ferror.log HTTP/1.1" 404 - "http://[this-is-intentionally-masked].com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; ScanToSecure)"
or
54.208.35.151 - - [27/Nov/2013:13:30:11 +0800] "GET /wp-content/plugins/sociable/css/sociable.css?ver=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fvar%2flog%2fapache%2ferror.log HTTP/1.1" 200 5687 "http://[this-is-intentionally-masked].com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; ScanToSecure)"
Notice that the second example is actually a HTTP 200 OK status request. Meaning the request is valid, and pointing to a existing resource on server.

Did a check and found out that nothing more that CSS content output. *phew*


IP CHECKING


A check on the IP (54.208.35.151) reveals that these request came from spam bot server

A note to all


Do not use unknown/non-reputable themes/plugins with .php files that generate static .js or .css files. I've seen quite a few with additional function to write to other files, and even read from other files! Its really not necessary to have this additional parameter.

Adding file path in URL parameters is exactly how will lead to exploit mentioned above. I.e.
jquery.js.php?ver=[path-to-some-sensitive-file]

Bonus


Doing SQL queries in static resource files? Big no.
Reading SQL queries from URL parameters? Big big no.

You'll expose yourself to things like this.
54.208.35.151 - - [27/Nov/2013:13:30:21 +0800] "GET /wp-content/plugins/theia-post-slider/css/buttons-orange.css?ver='%2b%20(select%20convert(int%2cCHAR(95)%2bCHAR(33)%2bCHAR(64)%2bCHAR(50)%2bCHAR(100)%2bCHAR(105)%2bCHAR(108)%2bCHAR(101)%2bCHAR(109)%2bCHAR(109)%2bCHAR(97))%20FROM%20syscolumns)%20%2b' HTTP/1.1" 200 5652 "http://[this-is-intentionally-masked].com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; ScanToSecure)"


Hope this helps.

Comments

Popular posts from this blog

225019099301.apps.googleusercontent.com

Recent activity on my Gmail just revealed that there's this app "Authorized Application (225019099301.apps.googleusercontent.com)" from IP address 54.235.159.144 assessing my Gmail.

The IP address is from a Amazon server ec2-54-235-159-144.compute-1.amazonaws.com. (IP Lookup).

And blacklist check (http://whatismyipaddress.com/blacklist-check) shows that the IP is clean too.

Clicking on the "Manage Account Access" didn't give any information on the application "225019099301.apps.googleusercontent.com".


After Googling, it appears that the app is Mailbox (source: http://productforums.google.com/forum/#!topic/gmail/9LVW_etXyTE)

To make things easy, Google should show the applications with their ID.


Backup MySQL to Azure Storage in 30 Seconds

Step 1. Disable password prompt for "mysqldump command"mysqldump: Got error: 1045: Access denied for user 'root'@'localhost' (using password: NO) when trying to connect 1. Run "vi ~/.my.cnf"
2. Add the following lines

[mysqldump]user=mysqluser password=secret
3. For Bitnami, you'll need to append the following line in "/opt/bitnami/mysql/my.cnf"

!include ~/.my.cnf
4. Try running to see if the command works.
mysqldump --all-databases > /home/bitnami/backups/db-backup.sql



Step 2(a). Install Azure-CLI Prerequisites: Installing npm.sudo apt-get update sudo apt-get install nodejs sudo apt-get install npm Note: If you facing issue while installing nodejs/npm on Ubuntu 12.04, you can refer to his article for alternative way to install https://rtcamp.com/tutorials/nodejs/node-js-npm-install-ubuntu/, or this http://stackoverflow.com/questions/16302436/install-nodejs-on-ubuntu-12-10#comment32247107_16303380

Install Azure CLI.npm install azure-cl…

Generate GoDaddy SSL Certificate (.crt) for Azure Websites (.pfx)

Step 1: Getting GoDaddy SSL cert.
Let's say you have a domain name of my_domain.com. You'll first need to generate the the .csr file for GoDaddy with the following command:

openssl req -new -newkey rsa:2048 -nodes -keyout my_domain.com.key -out my_domain.com.csr


This gives you 2 files:
my_domain.com.key - This is the private key
my_domain.com.csr - This is the Certificate Signing Request


Copy the content of my_domain.com.csr file to the SSL signing authority (GoDaddy).



Once approved, GoDaddy give you back a .zip file with the following 2 files:

18f1c77f369c0b59.crt - This is your cert
gd_bundle-g2-g1.crt - This is the GoDaddy Certificate Chain


Step 2: Convert a CERT/PEM certificate to a PFX certificate
openssl pkcs12 -export -out my_domain.com.pfx -inkey my_domain.com.key -in 18f1c77f369c0b59.crt


Step 3: Certificate to Upload to Azure.


Step 4: Assign SSL Bindings.




Step 5: Done!


References:

http://azure.microsoft.com/en-us/documentation/articles/web-sites-configure-ssl-certificate…