Archive

Archive for August, 2013

vBSDcon 2013 Registrations Now Open!

August 12, 2013 Leave a comment

vBSDcon Registrations Now Open!

In April 2013, Verisign announced vBSDcon 2013 to be held October 25 – 27, 2013 in Dulles, VA. The conference, formatted to resemble an unConference concept, will feature speakers such as David Chisnall, Luigi Rizzo, Baptiste Daroussin, Henning Brauer, Reyk Floeter, and others.  vBSDcon will include events like hacker lounges, doc sprints, BSDA exams, and a mid-conference social*.

In these most recent months, they have been developing the vBSDcon conference website hosted at http://www.vbsdcon.com/.  It includes full details surrounding the schedule, agenda, and speakers for vBSDcon.  The most recent addition to the conference website is that registrations are now open!

* Schedule is subject to change without notice, The BSDA exams are hosted by the BSD Certification group and not an official part of vBSDcon.

Apache/Plesk php Exploit

August 7, 2013 Leave a comment

While reviewing web server logs recently, I spotted the following attack…

216.237.113.27 – – [07/Aug/2013:08:12:14 -0400] “POST
/%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F
%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D
%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+
%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F
%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75
%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E
%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61
%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D
%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1”
404 209 “-” “-”

Which decodes to:

/phppath/php?-d allow_url_include=on -d safe_mode=off
-d suhosin.simulation=on -d disable_functions=”” -d
open_basedir=none -d auto_prepend_file=php://input -n

Googling turned up a few relevant results suggesting this is an attack on Plesk, a commercial web hosting automation program. Parallels, the company who owns Plesk, published a knowledge base article on the vulnerability describing how to determine if a deployment is vulnerable and how to patch the system.

One aspect of a vulnerable deployment includes an Apache configuration utilizing the following ScriptAlias configuration:

ScriptAlias /phppath/ “/usr/bin/”

For those running Plesk or others with the above configuration, it is recommended that your system be patched accordingly. Check the references below for more detailed information regarding this vulnerability.

References

Disclaimer

This blog is posted for informational purposes only. Extensive testing is recommended prior to implementing changes discussed here.

Categories: Technical Miscellany