Angriffe auf Apache/SquirrelMail klappt nicht mehr

Sebastian.S · Beitrag von **Sebastian.S** » 20.06.2003 21:16:24

Hallo,
mein Apache hat vier VHosts:
intern:80 plain
intern:443 ssl
extern:80 plain
extern:443 ssl

SquirrelMail läuft auf allen vier VHosts (als Tar-Ball, nicht als Deb) und schaltet mittels plugin immer auf SSL, sobald man die LogIn-Seite anfordert.

Hat bisher immer funktioniert.

Jetzt wollte ich heute noch aml intern auf SquirrelMail zugreifen: Login kam (ssl), Daten versucth zu senden, Timeout.

Gleiches passiert von jedem Rechner im internen Netz.

In /var/log/apache/error.log tauscht auf:

Code: Alles auswählen

[Fri Jun 20 21:04:20 2003] [info] created shared memory segment #262146
[Fri Jun 20 21:04:20 2003] [notice] Apache/1.3.26 (Unix) Debian GNU/Linux mod_ssl/2.8.9 OpenSSL/0.9.6g PHP/4.1.2 configured -- resuming norma$
[Fri Jun 20 21:04:20 2003] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache/suexec)
[Fri Jun 20 21:04:20 2003] [info] Server built: Oct 26 2002 09:15:15
[Fri Jun 20 21:04:20 2003] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Fri Jun 20 21:10:10 2003] [info] [client 192.168.0.4] Read POST information timed out

Beim Surfen über einen Proxy (megaproxy.com) zu Testzwecken meldet megaproxy:

Code: Alles auswählen

THE ADDRESS BRINGS UP THE ERROR MESSAGE:

[ Megaproxy? error: Usage of POST is temporarily disabled. ]

Auffällig sind Zugriffe auf den Apache in dieser Form (access.log):

Code: Alles auswählen

80.142.38.107 - - [19/Jun/2003:04:44:44 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 376 "$
80.142.38.107 - - [19/Jun/2003:04:44:44 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 376 "$
80.142.38.107 - - [19/Jun/2003:04:44:45 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.ex$
80.142.38.107 - - [19/Jun/2003:04:44:45 +0200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 358 "-" "-"
80.142.38.107 - - [19/Jun/2003:04:44:45 +0200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 358 "-" "-"
80.142.38.107 - - [19/Jun/2003:04:44:46 +0200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 358 "-" "-"
80.142.38.107 - - [19/Jun/2003:04:44:46 +0200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 358 "-" "-"
80.142.38.107 - - [19/Jun/2003:04:44:46 +0200] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 342 "-" "-"
80.142.38.107 - - [19/Jun/2003:04:44:46 +0200] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 342 "-" "-"
80.142.38.107 - - [19/Jun/2003:04:44:47 +0200] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 359 "-" "-"
80.142.38.107 - - [19/Jun/2003:04:44:47 +0200] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 359 "-" "-"
80.142.179.63 - - [19/Jun/2003:07:00:31 +0200] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX$
80.142.38.107 - - [19/Jun/2003:07:29:47 +0200] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 337 "-" "-"
80.142.38.107 - - [19/Jun/2003:07:29:48 +0200] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 335 "-" "-"
80.142.38.107 - - [19/Jun/2003:07:29:48 +0200] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 345 "-" "-"
80.142.38.107 - - [19/Jun/2003:07:29:48 +0200] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 345 "-" "-"
80.142.38.107 - - [19/Jun/2003:07:29:49 +0200] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 359 "-" "-"
80.142.38.107 - - [19/Jun/2003:07:29:49 +0200] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 376 "$
80.142.38.107 - - [19/Jun/2003:07:29:49 +0200] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 376 "$
80.142.38.107 - - [19/Jun/2003:07:29:50 +0200] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.ex$
80.142.38.107 - - [19/Jun/2003:07:29:50 +0200] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 358 "-" "-"
80.142.38.107 - - [19/Jun/2003:07:29:50 +0200] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 358 "-" "-"
80.142.38.107 - - [19/Jun/2003:07:29:51 +0200] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 358 "-" "-"
80.142.38.107 - - [19/Jun/2003:07:29:51 +0200] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 358 "-" "-"
80.142.38.107 - - [19/Jun/2003:07:29:51 +0200] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 342 "-" "-"
80.142.38.107 - - [19/Jun/2003:07:29:52 +0200] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 342 "-" "-"

Wie bringe ich SquirrelMail wieder zum Laufen? Was ist der Fehler? Wie kann ich prüfen, ob ich "gehackt" wurde?

Danke

Sebastian

Sebastian.S · Beitrag von **Sebastian.S** » 20.06.2003 21:23:12

Nach einigen Neustarts (Apache und komplettes System) brachte der Browser folgendes (intern):

Code: Alles auswählen

Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 4097 bytes) in /var/www/SquirrelMail/functions/imap_general.php on line 48
 
 Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 64 bytes) in Unknown on line 0

Seltsam ist, dass das Speicherlimit in der php.ini auf 32 M gesetzt ist....

Sebastian