<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>## further rumbling :(<br>
</p>
<p>I'll question the use of words "if you horribly misconfigure your
web server" as in "should we put the blame there"?</p>
<p>Let's zoom out from this particular GET request to /etc/passwd<br>
</p>
<p>This is a directory traversal attack. In my case, hacked
confluence server, an attacker probably tried to read /etc/passwd
as well, why not try? In *standard* confluence configuration
confluence user is added to the system, under which app is run.
Hacked process placed into cron for confluence user a regularly
running script that was pulling some binary via two hoops. That
binary was taking all of CPU, i.e. it was crypto mining, not the
protein folding! Even properly configured by admin server is
vulnerable.<br>
</p>
<p>As an admin, what am I supposed to do, when a standard setting
with this bug in code let's anyone from the web. There was no
horrible misconfiguration on my confluence server. I was spared by
isolating the server with LXC, and not having important stuff on
that server.</p>
<p>You may ask, why the server was allowed to egress to get bad
code. This atlassian shit refuses to work cleanly without egress
-- updates, etc. May be I should've blackholed DNS egress? Exit
hoops used ips.<br>
</p>
<p>Attackers found my confluence server, cause it was on the domain
confluence.3nsoft.net. Third section in domain, named after the
product -- this is a give away, exploited by these automated web
trawling operations. Should I call this domain a "horrible
misconfiguration"?<br>
</p>
<p>If you happen to have a web app with touchy data, do the
following. Set it up in LXC. Setup tor proxy in LXC. Use your
stuff from Tor browser. At least you are not enumerated in DNS for
blanked targeting. Yey for Tor! The kicker is that it may take you
less time to setup Tor then to make a separate domain and setup
TLS, ... we configure TLS proxy to be on a separate system, right?
:)<br>
</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 2019-12-28 11:14 a.m., John Van
Ostrand wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAGCrr8jDBS-n6NonzQiNqV-C1TG9ZtDZ0ZLyqeypQUfSXzrpfQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">I think you can also be exposed if you horribly
misconfigure your web server to allow access to those
directories and files.</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Sat, Dec 28, 2019 at 10:06
AM Mikalai Birukou via kwlug-disc <<a
href="mailto:kwlug-disc@kwlug.org" moz-do-not-send="true">kwlug-disc@kwlug.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Yes, this dot operator is not sanitizing paths.</p>
<p>Is this a "let's try" automated trawling of web? I
wonder, what region is request IP from.<br>
</p>
<div>On 2019-12-28 10:00 a.m., Mikalai Birukou via
kwlug-disc wrote:<br>
</div>
<blockquote type="cite">
<p>I've duckduckgo-ed GET /download.php?file=../.</p>
<p>This shows up <a
href="https://www.tutorialrepublic.com/php-tutorial/php-file-download.php"
target="_blank" moz-do-not-send="true">https://www.tutorialrepublic.com/php-tutorial/php-file-download.php</a></p>
<p>There is download.php example file in it with</p>
<p>```</p>
<pre><code><span> <span>$file</span> <span>=</span> <span>urldecode</span><span>(</span><span>$_REQUEST</span><span>[</span><span>"file"</span><span>]</span><span>)</span><span>;</span> <span>// Decode URL-encoded string</span>
<span>$filepath</span> <span>=</span> <span>"images/"</span> <span>.</span> <span>$file</span><span>;</span>
</span></code></pre>
<p>```</p>
<p>PHP isn't my language, but nothing here jumps out,
saying sanitize path.</p>
<p>How many people can use this example to add a download
functionality to whatever app/site. StackOverflow style
programming?<br>
</p>
<p>May be its a good idea to search system for
download.php?</p>
<p><br>
</p>
<div>On 2019-12-28 1:49 a.m., Paul Nijjar via kwlug-disc
wrote:<br>
</div>
<blockquote type="cite">
<pre>In my Apache logs I saw something like this, and my search-engine
skills are weak:
133.18.209.124 - - [27/Dec/2019:04:09:39 -0500] "GET /download.php?file=../../../../../../../../../../../../etc/passwd HTTP/1.1" 404 209 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
It's pretty obvious what they are trying to do, but I am having
trouble figuring out what the target is, exactly. Is this an exploit
in a popular web package I should know about?
- Paul
</pre>
</blockquote>
<br>
<fieldset></fieldset>
<pre>_______________________________________________
kwlug-disc mailing list
<a href="mailto:kwlug-disc@kwlug.org" target="_blank" moz-do-not-send="true">kwlug-disc@kwlug.org</a>
<a href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org" target="_blank" moz-do-not-send="true">http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a>
</pre>
</blockquote>
_______________________________________________<br>
</div>
kwlug-disc mailing list<br>
<a href="mailto:kwlug-disc@kwlug.org" target="_blank"
moz-do-not-send="true">kwlug-disc@kwlug.org</a><br>
<a
href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a><br>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">
<div>John Van Ostrand<br>
</div>
<div>At large on sabbatical<br>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
kwlug-disc mailing list
<a class="moz-txt-link-abbreviated" href="mailto:kwlug-disc@kwlug.org">kwlug-disc@kwlug.org</a>
<a class="moz-txt-link-freetext" href="http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org">http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org</a></pre>
</blockquote>
</body>
</html>