Thanks for the info you gave me I realize this is not the list for this. I was
able to determine they were hitting the ssl site that serves webmail mail I do
see, the 200s.
One if particular has me worried,
178.175.142.131 - - [07/Nov/2017:16:04:38 -0500] "GET
/src/download.php?file=etc/passwd HTTP/1.1" 200 1484
Did they actually download that password file. Thanks for your recommendations.
P
[root@mail src]# grep 178.175.142.131 /var/log/httpd/ssl_access_log | grep 200
178.175.142.131 - - [07/Nov/2017:15:48:51 -0500] "GET /1/ HTTP/1.1" 404 200
178.175.142.131 - - [07/Nov/2017:15:48:53 -0500] "GET /2/ HTTP/1.1" 404 200
178.175.142.131 - - [07/Nov/2017:15:48:54 -0500] "GET /3/ HTTP/1.1" 404 200
178.175.142.131 - - [07/Nov/2017:15:48:55 -0500] "GET /4/ HTTP/1.1" 404 200
178.175.142.131 - - [07/Nov/2017:15:48:56 -0500] "GET /5/ HTTP/1.1" 404 200
178.175.142.131 - - [07/Nov/2017:15:48:57 -0500] "GET /6/ HTTP/1.1" 404 200
178.175.142.131 - - [07/Nov/2017:15:48:57 -0500] "GET /7/ HTTP/1.1" 404 200
178.175.142.131 - - [07/Nov/2017:15:48:59 -0500] "GET /8/ HTTP/1.1" 404 200
178.175.142.131 - - [07/Nov/2017:15:49:00 -0500] "GET /9/ HTTP/1.1" 404 200
178.175.142.131 - - [07/Nov/2017:15:49:33 -0500] "GET /ChangeLog HTTP/1.1" 200
78728
178.175.142.131 - - [07/Nov/2017:15:49:57 -0500] "GET /README HTTP/1.1" 200 2635
178.175.142.131 - - [07/Nov/2017:15:50:06 -0500] "GET /ChangeLog HTTP/1.1" 200
78728
178.175.142.131 - - [07/Nov/2017:15:50:19 -0500] "GET /README HTTP/1.1" 200 2635
178.175.142.131 - - [07/Nov/2017:15:50:40 -0500] "GET
/scripts/dcshop.cgi_11920046 HTTP/1.1" 404 225
178.175.142.131 - - [07/Nov/2017:15:51:41 -0500] "GET /src/login.php HTTP/1.1"
200 5444
178.175.142.131 - - [07/Nov/2017:15:51:45 -0500] "GET
/plugins/login_auto/security.en.php HTTP/1.1" 200 2343
178.175.142.131 - - [07/Nov/2017:15:51:49 -0500] "GET
/themes/css/XP_BlueSky.css HTTP/1.1" 200 12030
178.175.142.131 - - [07/Nov/2017:15:51:54 -0500] "GET /test.php HTTP/1.1" 200 -
178.175.142.131 - - [07/Nov/2017:15:52:05 -0500] "GET /src/login.php HTTP/1.1"
200 5444
178.175.142.131 - - [07/Nov/2017:15:52:40 -0500] "GET /CruxPA200/login.php
HTTP/1.1" 404 217
178.175.142.131 - - [07/Nov/2017:15:52:41 -0500] "GET
/CruxPA200/Manager/login.php HTTP/1.1" 404 225
178.175.142.131 - - [07/Nov/2017:15:53:15 -0500] "GET /test.php HTTP/1.1" 200 -
178.175.142.131 - - [07/Nov/2017:15:53:52 -0500] "GET /src/configtest.php
HTTP/1.1" 200 3062
178.175.142.131 - - [07/Nov/2017:15:53:53 -0500] "GET
/plugins/login_auto/security.en.php HTTP/1.1" 200 2343
178.175.142.131 - - [07/Nov/2017:15:53:53 -0500] "GET /src/login.php HTTP/1.1"
200 5444
178.175.142.131 - - [07/Nov/2017:15:54:13 -0500] "GET //test.php HTTP/1.1" 200 -
178.175.142.131 - - [07/Nov/2017:15:54:25 -0500] "GET
/src/search.php?dosearch=true&query=\"><script>alert(document.cookie)</script>
HTTP/1.1" 200 1484
178.175.142.131 - - [07/Nov/2017:15:54:45 -0500] "GET /manual/en/index.html
HTTP/1.1" 200 7234
178.175.142.131 - - [07/Nov/2017:15:59:03 -0500] "GET /README HTTP/1.1" 200 2635
178.175.142.131 - - [07/Nov/2017:15:59:17 -0500] "GET
/plugins/login_auto/README HTTP/1.1" 200 1768
178.175.142.131 - - [07/Nov/2017:16:00:23 -0500] "GET
/mod.php?mod=publisher&op=allmedia&artid=-1%20union%20select%200x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374
HTTP/1.1" 404 205
178.175.142.131 - - [07/Nov/2017:16:00:24 -0500] "GET
/scripts/mod.php?mod=publisher&op=allmedia&artid=-1%20union%20select%200x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374
HTTP/1.1" 404 213
178.175.142.131 - - [07/Nov/2017:16:00:25 -0500] "GET
/cgi-bin/mod.php?mod=publisher&op=allmedia&artid=-1%20union%20select%200x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374
HTTP/1.1" 404 213
178.175.142.131 - - [07/Nov/2017:16:00:26 -0500] "GET
/src/mod.php?mod=publisher&op=allmedia&artid=-1%20union%20select%200x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374
HTTP/1.1" 404 209
178.175.142.131 - - [07/Nov/2017:16:00:27 -0500] "GET
/plugins/login_auto/mod.php?mod=publisher&op=allmedia&artid=-1%20union%20select%200x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374
HTTP/1.1" 404 224
178.175.142.131 - - [07/Nov/2017:16:00:29 -0500] "GET
/src/search.php?q=<script>alert('openvas-xss-test')</script> HTTP/1.1" 200 1484
178.175.142.131 - - [07/Nov/2017:16:00:39 -0500] "GET
/src/search.php?s=%3Cscript%3Ealert(%27openvas-xss-test%27)%3C/script%3E
HTTP/1.1" 200 1484
178.175.142.131 - - [07/Nov/2017:16:01:02 -0500] "GET /src/search.php?seed=1%27
HTTP/1.1" 200 1484
178.175.142.131 - - [07/Nov/2017:16:01:32 -0500] "GET
/stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23
HTTP/1.1" 404 216
178.175.142.131 - - [07/Nov/2017:16:01:33 -0500] "GET
/DigitalScribe/stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23
HTTP/1.1" 404 230
178.175.142.131 - - [07/Nov/2017:16:01:34 -0500] "GET
/digitalscribe/stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23
HTTP/1.1" 404 230
178.175.142.131 - - [07/Nov/2017:16:01:36 -0500] "GET
/scripts/stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23
HTTP/1.1" 404 224
178.175.142.131 - - [07/Nov/2017:16:01:37 -0500] "GET
/cgi-bin/stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23
HTTP/1.1" 404 224
178.175.142.131 - - [07/Nov/2017:16:01:38 -0500] "GET
/src/stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23
HTTP/1.1" 404 220
178.175.142.131 - - [07/Nov/2017:16:01:39 -0500] "GET
/plugins/login_auto/stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23
HTTP/1.1" 404 235
178.175.142.131 - - [07/Nov/2017:16:01:49 -0500] "GET
/src/search.php?query=1<script>alert(document.cookie);</script>&mode=all
HTTP/1.1" 200 1484
178.175.142.131 - - [07/Nov/2017:16:02:48 -0500] "GET
/booking_calendar//details_view.php?event_id=1&date=2000-12-01&view=month&loc=loc1&page_info_message=<script>alert(/openvas-xss-test/)</script>
HTTP/1.1" 404 232
178.175.142.131 - - [07/Nov/2017:16:02:49 -0500] "GET
/cal/details_view.php?event_id=1&date=2000-12-01&view=month&loc=loc1&page_info_message=<script>alert(/openvas-xss-test/)</script>
HTTP/1.1" 404 218
178.175.142.131 - - [07/Nov/2017:16:02:50 -0500] "GET
/scripts/details_view.php?event_id=1&date=2000-12-01&view=month&loc=loc1&page_info_message=<script>alert(/openvas-xss-test/)</script>
HTTP/1.1" 404 222
178.175.142.131 - - [07/Nov/2017:16:02:51 -0500] "GET
/cgi-bin/details_view.php?event_id=1&date=2000-12-01&view=month&loc=loc1&page_info_message=<script>alert(/openvas-xss-test/)</script>
HTTP/1.1" 404 222
178.175.142.131 - - [07/Nov/2017:16:02:52 -0500] "GET
/src/details_view.php?event_id=1&date=2000-12-01&view=month&loc=loc1&page_info_message=<script>alert(/openvas-xss-test/)</script>
HTTP/1.1" 404 218
178.175.142.131 - - [07/Nov/2017:16:02:53 -0500] "GET
/plugins/login_auto/details_view.php?event_id=1&date=2000-12-01&view=month&loc=loc1&page_info_message=<script>alert(/openvas-xss-test/)</script>
HTTP/1.1" 404 233
178.175.142.131 - - [07/Nov/2017:16:02:55 -0500] "GET
/details_view.php?event_id=1&date=2000-12-01&view=month&loc=loc1&page_info_message=<script>alert(/openvas-xss-test/)</script>
HTTP/1.1" 404 214
178.175.142.131 - - [07/Nov/2017:16:02:59 -0500] "POST
/plugins/login_auto/security.en.php?-dallow_url_include%3don+-dauto_prepend_file%3dphp://input
HTTP/1.1" 200 2343
178.175.142.131 - - [07/Nov/2017:16:03:00 -0500] "POST
/plugins/login_auto/security.en.php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E
HTTP/1.1" 200 2343
178.175.142.131 - - [07/Nov/2017:16:03:01 -0500] "POST
/src/login.php?-dallow_url_include%3don+-dauto_prepend_file%3dphp://input
HTTP/1.1" 200 5444
178.175.142.131 - - [07/Nov/2017:16:03:02 -0500] "POST
/src/login.php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E
HTTP/1.1" 200 5444
178.175.142.131 - - [07/Nov/2017:16:03:33 -0500] "GET
/src/download.php?id=-1+union+select+1,0x4f70656e5641532d53514c2d496e6a656374696f6e2d54657374
HTTP/1.1" 200 1484
178.175.142.131 - - [07/Nov/2017:16:04:29 -0500] "GET
/src/login.php?url=index.php%3F HTTP/1.1" 200 5444
178.175.142.131 - - [07/Nov/2017:16:04:38 -0500] "GET
/src/download.php?file=etc/passwd HTTP/1.1" 200 1484
178.175.142.131 - - [07/Nov/2017:16:05:13 -0500] "GET
/calendar.php?year=2004&month=<script>foo</script>&day=01 HTTP/1.1" 404 210
178.175.142.131 - - [07/Nov/2017:16:05:14 -0500] "GET
/scripts/calendar.php?year=2004&month=<script>foo</script>&day=01 HTTP/1.1" 404
218
178.175.142.131 - - [07/Nov/2017:16:05:15 -0500] "GET
/src/login.php?ref='%3e%3cscript%3ealert(upb_xss.nasl)%3c%2fscript%3e HTTP/1.1"
200 5444
178.175.142.131 - - [07/Nov/2017:16:05:15 -0500] "GET
/cgi-bin/calendar.php?year=2004&month=<script>foo</script>&day=01 HTTP/1.1" 404
218
178.175.142.131 - - [07/Nov/2017:16:05:16 -0500] "GET
/src/calendar.php?year=2004&month=<script>foo</script>&day=01 HTTP/1.1" 404 214
178.175.142.131 - - [07/Nov/2017:16:05:17 -0500] "GET
/plugins/login_auto/calendar.php?year=2004&month=<script>foo</script>&day=01
HTTP/1.1" 404 229
178.175.142.131 - - [07/Nov/2017:16:05:22 -0500] "GET
/src/search.php?query=we+%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&topic=0&limit=30
HTTP/1.1" 200 1484
178.175.142.131 - - [07/Nov/2017:16:05:26 -0500] "OPTIONS * HTTP/1.1" 200 -
178.175.142.131 - - [07/Nov/2017:16:05:31 -0500] "OPTIONS /scripts/ HTTP/1.1"
200 -
178.175.142.131 - - [07/Nov/2017:16:05:32 -0500] "GET
/src/search.php?searchfor=\"><script>window.alert(document.cookie);</script>
HTTP/1.1" 200 1484
178.175.142.131 - - [07/Nov/2017:16:05:34 -0500] "GET
/src/login.php?login=<script>foo</script> HTTP/1.1" 200 5444
-----Original Message-----
From: Openvas-discuss [mailto:[email protected]] On
Behalf Of Reindl Harald
Sent: Wednesday, November 08, 2017 10:22 AM
To: [email protected]
Subject: Re: [Openvas-discuss] openVAS Cookie stealer report email
Am 08.11.2017 um 16:02 schrieb Paul A:
> Reindl, thanks for the reply I appreciate it. In php.ini I have
>
> [mail function]
> ; For Win32 only.
> SMTP = localhost
> smtp_port = 25
> ; For Unix only. You may supply arguments as well (default: "sendmail
> -t -i").
> sendmail_path = /usr/sbin/sendmail -t -i
>
> should o only be getting rid of the line with sendmail ?
i really have not the time to explain how to secure a webserver properly
taht should be a start
disable_functions = "apache_child_terminate, chown, dl, exec, fileinode,
get_current_user, getmypid, getmyuid, getrusage, highlight_file, link, mail,
openlog, passthru, pclose, pcntl_alarm, pcntl_errno, pcntl_exec, pcntl_fork,
pcntl_get_last_error, pcntl_getpriority, pcntl_setpriority,
pcntl_signal_dispatch, pcntl_signal, pcntl_sigprocmask, pcntl_sigtimedwait,
pcntl_sigwaitinfo, pcntl_strerror, pcntl_wait, pcntl_waitpid,
pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped,
pcntl_wstopsig, pcntl_wtermsig, pfsockopen, popen, posix_kill, posix_mkfifo,
posix_setpgid, posix_setsid, posix_setuid, proc_close, proc_get_status,
proc_nice, proc_open, proc_terminate, shell_exec, show_source, socket_accept,
socket_bind, symlink, syslog, system"
> Also looking at the logs the on 200 I see is,
>
> 178.175.142.131 - - [07/Nov/2017:16:05:53 -0500] "OPTIONS * HTTP/1.1"
> 200 - "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
well, this is not the only one
> I still don’t see where and how it executed the email program even
> though I know think its related to the sendmail path on php.ini.
>
> [root@mail scripts]# grep 178.175.142.131 /var/log/httpd/access_log |
> grep
> 200
don't get me wrong but that's to much handholding especially because this is
completly offlist here - when your server triggers mails by a simple securioty
scan (which everybody should do at it's own regulary) you have a problem and
that is not OpenVAS which points it out
but the obsious idea is to get away all 301 reponses either by | grep "
200 " or | grep -v " 301 " and take a look what the remaining 200 responses
where and in doubt inspect each of the files, in case of a POST request you
don't see any param in the logs because, well, it's a post request
> 178.175.142.131 - - [07/Nov/2017:15:52:43 -0500] "GET
> /CruxPA200/login.php HTTP/1.1" 301 255 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS
> 8.0.9)"
> 178.175.142.131 - - [07/Nov/2017:15:52:43 -0500] "GET
> /CruxPA200/Manager/login.php HTTP/1.1" 301 263 "-" "Mozilla/5.0 [en]
> (X11, U; OpenVAS 8.0.9)"
> 178.175.142.131 - - [07/Nov/2017:16:00:28 -0500] "GET
> /mod.php?mod=publisher&op=allmedia&artid=-1%20union%20select%200x4f706
> 56e564
> 1532d53514c2d496e6a656374696f6e2d54657374 HTTP/1.1" 301 360 "-"
> "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
> 178.175.142.131 - - [07/Nov/2017:16:00:28 -0500] "GET
> /scripts/mod.php?mod=publisher&op=allmedia&artid=-1%20union%20select%2
> 00x4f7
> 0656e5641532d53514c2d496e6a656374696f6e2d54657374 HTTP/1.1" 301 368 "-"
> "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
> 178.175.142.131 - - [07/Nov/2017:16:00:29 -0500] "GET
> /cgi-bin/mod.php?mod=publisher&op=allmedia&artid=-1%20union%20select%2
> 00x4f7
> 0656e5641532d53514c2d496e6a656374696f6e2d54657374 HTTP/1.1" 301 368 "-"
> "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
> 178.175.142.131 - - [07/Nov/2017:16:01:40 -0500] "GET
> /stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f70656e5641532d
> 53514c
> 2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23 HTTP/1.1" 301
> 366 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
> 178.175.142.131 - - [07/Nov/2017:16:01:41 -0500] "GET
> /DigitalScribe/stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f
> 70656e
> 5641532d53514c2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23
> HTTP/1.1" 301 380 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
> 178.175.142.131 - - [07/Nov/2017:16:01:41 -0500] "GET
> /digitalscribe/stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f
> 70656e
> 5641532d53514c2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23
> HTTP/1.1" 301 380 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
> 178.175.142.131 - - [07/Nov/2017:16:01:41 -0500] "GET
> /scripts/stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f70656e
> 564153
> 2d53514c2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23 HTTP/1.1"
> 301 374 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
> 178.175.142.131 - - [07/Nov/2017:16:01:42 -0500] "GET
> /cgi-bin/stuworkdisplay.php?ID=-1)%20UNION%20ALL%20SELECT%200x4f70656e
> 564153
> 2d53514c2d496e6a656374696f6e2d54657374,2,3,4,5,6,7,8,9,10,11%23 HTTP/1.1"
> 301 374 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
> 178.175.142.131 - - [07/Nov/2017:16:02:56 -0500] "GET
> /booking_calendar//details_view.php?event_id=1&date=2000-12-01&view=mo
> nth&lo
> c=loc1&page_info_message=<script>alert(/openvas-xss-test/)</script>
> HTTP/1.1" 301 406 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
> 178.175.142.131 - - [07/Nov/2017:16:02:56 -0500] "GET
> /cal/details_view.php?event_id=1&date=2000-12-01&view=month&loc=loc1&p
> age_in fo_message=<script>alert(/openvas-xss-test/)</script> HTTP/1.1"
> 301 392 "-"
> "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
> 178.175.142.131 - - [07/Nov/2017:16:02:57 -0500] "GET
> /scripts/details_view.php?event_id=1&date=2000-12-01&view=month&loc=lo
> c1&pag e_info_message=<script>alert(/openvas-xss-test/)</script>
> HTTP/1.1" 301 396 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
> 178.175.142.131 - - [07/Nov/2017:16:02:57 -0500] "GET
> /cgi-bin/details_view.php?event_id=1&date=2000-12-01&view=month&loc=lo
> c1&pag e_info_message=<script>alert(/openvas-xss-test/)</script>
> HTTP/1.1" 301 396 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
> 178.175.142.131 - - [07/Nov/2017:16:02:59 -0500] "GET
> /details_view.php?event_id=1&date=2000-12-01&view=month&loc=loc1&page_
> info_m essage=<script>alert(/openvas-xss-test/)</script> HTTP/1.1" 301
> 388 "-"
> "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
> 178.175.142.131 - - [07/Nov/2017:16:05:18 -0500] "GET
> /calendar.php?year=2004&month=<script>foo</script>&day=01 HTTP/1.1"
> 301 312 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
> 178.175.142.131 - - [07/Nov/2017:16:05:19 -0500] "GET
> /scripts/calendar.php?year=2004&month=<script>foo</script>&day=01 HTTP/1.1"
> 301 320 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
> 178.175.142.131 - - [07/Nov/2017:16:05:19 -0500] "GET
> /cgi-bin/calendar.php?year=2004&month=<script>foo</script>&day=01 HTTP/1.1"
> 301 320 "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
> 178.175.142.131 - - [07/Nov/2017:16:05:53 -0500] "OPTIONS * HTTP/1.1"
> 200 - "-" "Mozilla/5.0 [en] (X11, U; OpenVAS 8.0.9)"
>
> -----Original Message-----
> From: Openvas-discuss
> [mailto:[email protected]]
> On Behalf Of Reindl Harald
> Sent: Tuesday, November 07, 2017 7:41 PM
> To: [email protected]
> Subject: Re: [Openvas-discuss] openVAS Cookie stealer report email
>
>
>
> Am 07.11.2017 um 23:51 schrieb Paul A:
>> Hi, recently I got an email with the subject, “Cookie stealer report
>> “ I looked at my apache logs and notice a particular ip scanning my
>> server at that time using OpenVAS which I had never heard of it
>> before. Doing some research I found the mailing list for OpenVAS and
>> found out that the program does. With that said I’m a bit concerned
>> that someone using a scanning program was able to send an email
>> through my server from the user apache.
>>
>> Return-Path: <apache@xxx>
>> X-Original-To: razor@xx
>> Delivered-To: razor@xx
>> Received: by mail.xxx (Postfix, from userid 48)
>
> well, you have obviously a vulnerable script calling sendmail
> (Postfix, from userid 48) and the first question you should answer
> yourself is why is "mail" not in disabled_functions in your php.ini -
> any proper software can use SMTP which has less security implications
> like additional mail-headers with \n in teh subject and all that can
> of worms over decades
>
> why does your server repsond with 301 (Moved Permanently) instead of
> 404 (Not Found) to requests for non existing files?
>
> i guess the log is only a small part
> so grep for 200 and the ip 178.175.142.131
>
> cat logfile | grep 200 | grep "178\.175\.142\.131"
>
> there must have been at least one with a status code 200 not falling
> under "seem to be files I don't have on the server"
_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
