[tor-relays] Handling abuse - like to get your help please
Geoff Down
geoffdown at fastmail.net
Sat Jun 18 02:03:21 UTC 2016
On Fri, Jun 17, 2016, at 09:30 PM, Michael Armbruster wrote:
> Hi Paul,
>
> assuming the default HTTP port, it was an attack to the port 80.
> Furthermore, the cryptic looking signs (%XX, whereas X is 0-9 or A-F),
> are url escaped characters. Unescaping them leads to something like this:
>
> > /cgi-bin/php-cgi?-d+allow_url_include=on+-d+safe_mode=off+-
> > d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-
> > d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-
> > d+cgi.redirect_status_env=0+-n
>
...
> Putting all those bits together, we can conclude that an attacker tried
> to access the PHP executable on the CGI path on a webserver and
> disabling various security features. The malicious code or data he tried
> to send to the server was sent via POST data. Though we cannot see the
> post data, so we can only speculate what the attacker tried to do. A
> good bet would be to upload a shell to the webserver to gain further
> access on the server, but that's only speculation.
>
Specifically, this looks like
https://www.exploit-db.com/exploits/29290/
- server operators take note.
GD
--
http://www.fastmail.com - Accessible with your email software
or over the web
More information about the tor-relays
mailing list