store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Wed Nov 13, 2019 9:16 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: Worrying log entry
Unread postPosted: Tue Jan 27, 2015 12:31 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
This is on a NON-ASL WP installation.

In the httpd access_log for a particular Wordpress site, I noticed this:

Code:
92.63.87.10 - - [27/Jan/2015:16:06:19 +0000] "GET / HTTP/1.1" 301 279 "http://billmanengquist.se/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php"
"Mozilla/5.0 (Macintosh;Intel Mac OS X 10_7_0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.803.0 Safari/535.1"

92.63.87.10 - - [27/Jan/2015:16:06:28 +0000] "GET / HTTP/1.1" 200 64025 "http://billmanengquist.se/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.803.0 Safari/535.1"


To me, this appears to be an attempt to obtain the wp-config for a domain via what is probably an insecure theme.

What's confusing me is that the domain shown in the log entry is not hosted on the server in question.

And what seems to be happening is a 301 redirect followed by a 200 OK with a significant amount of data.

I seem to recall that when there's a GET with a different domain in a log, it is usually an attempt at using the server as a proxy, which invariably fails on a plesk box, if I recall correctly.

But given that a chunk of data seemed to be transferred, something different seems to be happening here and I'm afraid I can't work it out.

Can someone shed some light please?

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Worrying log entry
Unread postPosted: Tue Jan 27, 2015 3:16 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4087
Location: Chantilly, VA
Thats a referrer, not the request. The request was for "GET /", the referrer was "http://billmanengquist.se/wp-content/themes/antioch/lib/scripts/download.php?file=../../../../../wp-config.php"

Thats harmless in the referrer and why you're seeing a different domain in the referrer. Thats normal. The IP is on the Atomicorp Threat Intelligence index:

https://loggerhead/int/lookup/?ip_search=92.63.87.10

So if you're worried about the source, just make sure you have enabled the TI.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Worrying log entry
Unread postPosted: Tue Jan 27, 2015 3:26 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
So what you are saying is that I'm going blind in my old age?

ROFL.

Thanks though. Yes, makes sense.

Unfortunately this is a non-ASL machine. Not mine but I look after it, for my sins.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Worrying log entry
Unread postPosted: Tue Jan 27, 2015 3:30 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4087
Location: Chantilly, VA
Arent we all going blind in our old age? :-)

Its an interesting referrer by itself, awfully weird to see it there. I'd look at what else that IP sent, and that domain.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Worrying log entry
Unread postPosted: Wed Jan 28, 2015 10:32 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
There was only one other entry which I'm afraid I have since lost track of but as I recall it wasn't too interesting.

I did a clamscan on the hosted domain (standard rules, not ASL ones) and it came out OK and it the WP installation was up to date so I'm not too worried.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group