[Owncloud] cgi-bin attacks

Thu Jan 30 09:31:24 UTC 2014

This is a little off-topic, but it may be interesting for some ...

There are actually quite many attacks in the wild, but that varies depending 
on what malware is out there...
I don't know how secure owncloud is - I only use it inside my LAN and my 
firewall blocks all accesses to it and/or redirect specific requests to my Web 
Server which in turns has some active protections (Dynamic blacklisting 
enablement depending on the behavior of the requests).
Below are the currently most common "probing" attempts I have collected in my 
database.
There are many others - I skip these here though:

/admin.php                        
/system.php                       
/phpMyAdmin/scripts/setup.php  
/pma/scripts/setup.php           
/phpTest/zologize/axa.php         
/myadmin/scripts/setup.php       
/linux                            
/wp-login.php?action=register    
/admin/config.php                 
/projects.php?arg=isc_2_shorewall

I also keep a list of all IP's probing my site - and I have approximately 
1500/Month - so the numbers are huge - even though my site is just privat 
hobby ...
Now - my system is pretty strict on these. As soon as someone probes/requests 
these without a referer coming from my site - it is blocked immediately by the 
firewall. If there is a correct referer, after the 3rd attempt - the IP is 
blocked through WebInterface quarantine with error message - if he continues 
from the current IP, the firewall also gets the order to block that IP for 
24Hours.
Note - that as this IP is now marked as "elevated Threat Level", any next 
attempt to access the site in a way that it was not designed for - will block 
this IP the next time for 7 Days. The next attempt - 365 days.
and when I say, "in a way that was not designed for", I mean that if the 
id=123 and is changed to something (String whatever), any data that comes in 
is type-checked and validated. If validate fails -> Dynamic Blacklist Entry 
because I can assume that this is a wanted break-in attempt.
Grand-Ma would not know that she can manipulate a URL :}

Of course - I do have some other sources of BAD IP's in my blacklists. However 
I found out that putting all known "ADD Servers"  
(http://pgl.yoyo.org/adservers/serverlist.php?hostformat=bindconfig&showintro=0&mimetype=plaintext) 
into my DNS, Hijacking the SOA and redirecting all hostnames to 127.0.0.1 
speeds up website loading tremendously, and no ads :}

I know - this is a very strict handling, but it actually works quite nice and 
keeps way more junk out of my entire LAN than any AV software (that I don't 
use anyway) could do.

Joerg

On Wednesday 29 January 2014 23:13:53 Mohammad Naghavi wrote:
> Hi there,
> so I'm running on nginx and as I can see there is nothing about cgi-bin in
> those settings. I'm familiar with apache but not too much with nginx so
> just wanted to make sure if that can cause me trouble.
> 
> regards,
> Mohammad
> 
> ====================
> Mohammad Naghavi
> 
> Software engineer & analyst
> Senior web and desktop developer
> naghavi.me
> 
>    - at.linkedin.com/in/mohamnag/
> 
> On Wed, Jan 29, 2014 at 2:02 PM, Erwin Rennert <rennert at zsi.at> wrote:
> > On 01/29/2014 01:41 PM, Mohammad Naghavi wrote:
> >> Hi everybody,
> >> I'm new to owncloud and just started using it since two days but I just
> >> found out that I have been just attacked. they are trying requests
> >> similar to the following with different target urls:
> >> 
> >> 
> >> quest: "POST
> >> /cgi-bin/php4?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%
> >> 63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%
> >> 65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%
> >> 6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%
> >> 5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%
> >> 5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%
> >> 5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%
> >> 69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%
> >> 64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%
> >> 72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E
> >> HTTP/1.1", host: "
> >> XXX.XXX.XXX.XXX"
> >> 
> >> which decodes to:
> >> 
> >> quest: "POST /cgi-bin/php4?-d allow_url_include=on -d safe_mode=off -d
> >> suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d
> >> auto_prepend_file=php://input -d cgi.force_redirect=0 -d
> >> cgi.redirect_status_env=0 -n HTTP/1.1", host: "XXX.XXX.XXX.XXX"
> >> 
> >> I'm using OC 6.0.1 and I want to know if my server is prone to such
> >> attacks or not.
> > 
> > See http://security.stackexchange.com/questions/46566/protect-> > against-post-cgi-bin-php-attacks
> > 
> > Your server is prone to such attacks, if it uses cgi-bin directives in
> > it's apache configuration. This is an apache configuration issue, not
> > specifically OwnCloud.
> > 
> > Good luck;
> > Erwin
> > 
> >> regards,
> >> Mohammad
> >> 
> >> !DSPAM:52e8f76916541752919656!
> >> 
> >> 
> >> _______________________________________________
> >> Owncloud mailing list
> >> Owncloud at kde.org
> >> https://mail.kde.org/mailman/listinfo/owncloud
> >> 
> >> 
> >> !DSPAM:52e8f76916541752919656!
> > 
> > --
> > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+
> > Erwin Rennert, IT Services
> > Center for Social Innovation
> > 
> > A-1150 Wien, Linke Wienzeile 246
> > Austria, Europe
> > 
> > Phone: ++43-1-495 04 42 - 61
> > Facsimile: ++43-1-495 04 42 - 40
> > http://www.zsi.at/
> > 
> > _______________________________________________
> > Owncloud mailing list
> > Owncloud at kde.org
> > https://mail.kde.org/mailman/listinfo/owncloud

-- 
A hacker does for love what others would not do for money.
------------------------------------------------------------------------
Joerg Mertin in Clermont/France
Web: http://www.solsys.org
PGP: Public Key Server - Get "0x159DC660F946126F"