Am 08.11.2017 um 16:02 schrieb Paul A:
Reindl, thanks for the reply I appreciate it. In php.ini I have
[mail function]
; For Win32 only.
SMTP = localhost
smtp_port = 25
; For Unix only. You may supply arguments as well (default: "sendmail -t
-i").
sendmail_path = /usr/sbin/sendmail -t -i
should o only be getting rid of the line with sendmail ?
i really have not the time to explain how to secure a webserver properly
taht should be a start
disable_functions = "apache_child_terminate, chown, dl, exec, fileinode,
get_current_user, getmypid, getmyuid, getrusage, highlight_file, link,
mail, openlog, passthru, pclose, pcntl_alarm, pcntl_errno, pcntl_exec,
pcntl_fork, pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority,
pcntl_signal_dispatch, pcntl_signal, pcntl_sigprocmask,
pcntl_sigtimedwait, pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait,
pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled,
pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, pfsockopen, popen,
posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid,
proc_close, proc_get_status, proc_nice, proc_open, proc_terminate,
shell_exec, show_source, socket_accept, socket_bind, symlink, syslog,
system"
Also looking at the logs the on 200 I see is,
178.175.142.131 - - [07/Nov/2017:16:05:53 -0500] "OPTIONS * HTTP/1.1" 200 -
"-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
well, this is not the only one
I still don’t see where and how it executed the email program even though I
know think its related to the sendmail path on php.ini.
[root@mail scripts]# grep 178.175.142.131 /var/log/httpd/access_log | grep
200
don't get me wrong but that's to much handholding especially because
this is completly offlist here - when your server triggers mails by a
simple securioty scan (which everybody should do at it's own regulary)
you have a problem and that is not OpenVAS which points it out
but the obsious idea is to get away all 301 reponses either by | grep "
200 " or | grep -v " 301 " and take a look what the remaining 200
responses where and in doubt inspect each of the files, in case of a
POST request you don't see any param in the logs because, well, it's a
post request
178.175.142.131 - - [07/Nov/2017:15:52:43 -0500] "GET /CruxPA200/login.php
HTTP/1.1" 301 255 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:15:52:43 -0500] "GET
/CruxPA200/Manager/login.php HTTP/1.1" 301 263 "-" "Mozilla/5.0 [en] (X11,
U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:00:28 -0500] "GET
/mod.php?mod=publisher&op=allmedia&artid=-1%20union%20select%200x4f70656e564
1532d53514c2d496e6a656374696f6e2d54657374 HTTP/1.1" 301 360 "-" "Mozilla/5.0
[en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:00:28 -0500] "GET
/scripts/mod.php?mod=publisher&op=allmedia&artid=-1%20union%20select%200x4f7
0656e5641532d53514c2d496e6a656374696f6e2d54657374 HTTP/1.1" 301 368 "-"
"Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:00:29 -0500] "GET
/cgi-bin/mod.php?mod=publisher&op=allmedia&artid=-1%20union%20select%200x4f7
0656e5641532d53514c2d496e6a656374696f6e2d54657374 HTTP/1.1" 301 368 "-"
"Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:01:40 -0500] "GET
/stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f70656e5641532d53514c
2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23 HTTP/1.1" 301 366
"-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:01:41 -0500] "GET
/DigitalScribe/stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f70656e
5641532d53514c2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23
HTTP/1.1" 301 380 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:01:41 -0500] "GET
/digitalscribe/stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f70656e
5641532d53514c2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23
HTTP/1.1" 301 380 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:01:41 -0500] "GET
/scripts/stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f70656e564153
2d53514c2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23 HTTP/1.1"
301 374 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:01:42 -0500] "GET
/cgi-bin/stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f70656e564153
2d53514c2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23 HTTP/1.1"
301 374 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:02:56 -0500] "GET
/booking_calendar//details_view.php?event_id=1&date=2000-12-01&view=month&lo
c=loc1&page_info_message=<script>alert(/openvas-xss-test/)</script>
HTTP/1.1" 301 406 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:02:56 -0500] "GET
/cal/details_view.php?event_id=1&date=2000-12-01&view=month&loc=loc1&page_in
fo_message=<script>alert(/openvas-xss-test/)</script> HTTP/1.1" 301 392 "-"
"Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:02:57 -0500] "GET
/scripts/details_view.php?event_id=1&date=2000-12-01&view=month&loc=loc1&pag
e_info_message=<script>alert(/openvas-xss-test/)</script> HTTP/1.1" 301 396
"-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:02:57 -0500] "GET
/cgi-bin/details_view.php?event_id=1&date=2000-12-01&view=month&loc=loc1&pag
e_info_message=<script>alert(/openvas-xss-test/)</script> HTTP/1.1" 301 396
"-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:02:59 -0500] "GET
/details_view.php?event_id=1&date=2000-12-01&view=month&loc=loc1&page_info_m
essage=<script>alert(/openvas-xss-test/)</script> HTTP/1.1" 301 388 "-"
"Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:05:18 -0500] "GET
/calendar.php?year=2004&month=<script>foo</script>&day=01 HTTP/1.1" 301 312
"-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:05:19 -0500] "GET
/scripts/calendar.php?year=2004&month=<script>foo</script>&day=01 HTTP/1.1"
301 320 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:05:19 -0500] "GET
/cgi-bin/calendar.php?year=2004&month=<script>foo</script>&day=01 HTTP/1.1"
301 320 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
178.175.142.131 - - [07/Nov/2017:16:05:53 -0500] "OPTIONS * HTTP/1.1" 200 -
"-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
-----Original Message-----
From: Openvas-discuss [mailto:[email protected]]
On Behalf Of Reindl Harald
Sent: Tuesday, November 07, 2017 7:41 PM
To: [email protected]
Subject: Re: [Openvas-discuss] openVAS Cookie stealer report email
Am 07.11.2017 um 23:51 schrieb Paul A:
Hi, recently I got an email with the subject, “Cookie stealer report “
I looked at my apache logs and notice a particular ip scanning my
server at that time using OpenVAS which I had never heard of it
before. Doing some research I found the mailing list for OpenVAS and
found out that the program does. With that said I’m a bit concerned
that someone using a scanning program was able to send an email
through my server from the user apache.
Return-Path: <apache@xxx>
X-Original-To: razor@xx
Delivered-To: razor@xx
Received: by mail.xxx (Postfix, from userid 48)
well, you have obviously a vulnerable script calling sendmail (Postfix, from
userid 48) and the first question you should answer yourself is why is
"mail" not in disabled_functions in your php.ini - any proper software can
use SMTP which has less security implications like additional mail-headers
with \n in teh subject and all that can of worms over decades
why does your server repsond with 301 (Moved Permanently) instead of 404
(Not Found) to requests for non existing files?
i guess the log is only a small part
so grep for 200 and the ip 178.175.142.131
cat logfile | grep 200 | grep "178\.175\.142\.131"
there must have been at least one with a status code 200 not falling under
"seem to be files I don't have on the server"
_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
