May 2012 – OSSEC

Faking (all) user agents

Posted on May 24, 2012July 1, 2020 by Daniel Cid

If you are going to fake a user agent, do it right 🙂 Seeing some web scanners faking all possible browsers out there in one single request:

Firefox/3.6
Chrome/9
Firefox/3.0
Opera/9.99?
Safari
and more..

This is the actual log (searching for vulnerable oscommerce files):

66.147.240.166 – – [24/May/2012:13:50:50 +0000] “GET /admin/file_manager.php/login.php HTTP/1.1” 404 9152 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\”,\”Mozilla/5.0 (Windows; U; Windows NT 5.1; pl-PL; rv:1.8.1.24pre) Gecko/20100228 K-Meleon/1.5.4\”,\”Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/540.0 (KHTML,like Gecko) Chrome/9.1.0.0 Safari/540.0\”,\”Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Comodo_Dragon/4.1.1.11 Chrome/4.1.249.1042 Safari/532.5\”,\”Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.16) Gecko/2009122206 Firefox/3.0.16 Flock/2.5.6\”,\”Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/533.1 (KHTML, like Gecko) Maxthon/3.0.8.2 Safari/533.1\”,\”Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.8pre) Gecko/20070928 Firefox/2.0.0.7 Navigator/9.0RC1\”,\”Opera/9.99 (Windows NT 5.1; U; pl) Presto/9.9.9\”,\”Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-HK) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5\”,\”Seamonkey-1.1.13-1(X11; U; GNU Fedora fc 10) Gecko/20081112\”,\”Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR

I wonder if it is a bug in their scanners or they did on purpose to bypass user agent restrictions.

OSSEC rule for the PHP-CGI vulnerability

Posted on May 9, 2012June 29, 2020 by Daniel Cid

I am seeing many scans for the PHP-CGI vulnerability in the wild and put up a quick OSSEC rule to detect/block those:

<rule id="31110" level="6">
<if_sid>31100</if_sid>
<url>?-d|?-s|?-a|?-b|?-w</url>
<description>PHP CGI-bin vulnerability attempt.</description>
<group>attack,</group>
</rule>

It looks for the possibly dangerous options (-d,-s,-a,-b and -w) and alerts if it sees those. This is the alert it generates when detected:

** Alert 1336547515.182029: - web,accesslog,attack,
2012 May 09 03:11:55 (honeypot3) any->/var/log/httpd/access.log
Rule: 31110 (level 6) -> 'PHP CGI-bin vulnerability attempt.'
Src IP: 93.233.72.66
93.233.72.66 - - [09/May/2012:07:11:55 +0000] "GET /index.php?-s HTTP/1.1" 200 39479 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0"

This rule is also in my repository and you can download the latest from here.

Database Logging (PostgreSQL and MySQL)

Posted on May 8, 2012June 29, 2020 by Daniel Cid

Nobody cares about database logging, but I really recommend enabling them to see what is happening behind the scenes (specially for web applications).

To enable on PostgreSQL (and be compatible with OSSEC):

# Adding the timestamp, hostname and database.
log_line_prefix = '[%m] %h:%d '

# Recommended settings:
log_connections = on
log_disconnections = on
log_duration = on

# Maybe a good idea to reduce the default log level to info:
client_min_messages = info
log_min_messages = info

# To enable query logging (all for everything or mod for inserts, updates, etc)
log_statement = 'all'

On MySQL:

To enable the generic Query log on MySQL (the error log in on by default), you need to start MySQL with –log:

/bin/sh /usr/bin/mysqld_safe --log

The best option is to modify /etc/init.d/mysqld (if using Centos) and inside the –log in there.

Nothing new, but I was searching for this information online and couldn’t find much info.