Loading

Some sort of injection attack

Get help with problems, or report & discuss bugs in Collabtive

Some sort of injection attack

Postby Baaleos » 15.04.2015, 15:56

So - I host my Collabtive instance in Amazon EC2.
Today I got a shock when I discovered that since installing Collabtive my instance has somehow been churning out 8GB of data per hour.
(About $80 for the last 4-5 days)

I initially thought it was something to do with a build script that was being used by Jenkins - hosted on the same instance, but when reviewing my apache2 access logs I found what looks like a shell injection through collabtive.

Basically, somehow the GET request to apache2 was able to perform a curl and wget on a URL, download a linux binary, and then start it.
They also messed around with IP Tables etc

I just figured I should post this here, as it may or may not be a vulnerability with Collabtive.
Note: Collabtive was installed following a guide I found online.
Attachments
shattack2.JPG
shattack2.JPG (190.2 KiB) Viewed 3873 times
Baaleos
 
Posts: 1
Joined: 15.04.2015, 15:51

Re: Some sort of injection attack

Postby Philipp » 17.04.2015, 02:19

I dont think this is related to Collabtive.

A couple of points here:
1. I cant see in those HTTP requests where any part (script) that belongs to Collabtive is being handed any data that could be injected somewhere at all.
In fact all requests seem to go to the / (root) path of the (sub)domain.
So while this may run on the subdomain you have configured Collabtive on, Collabtive doesnt seem to be involved.

2. Most of those GET requests seem to be probing for some version of nagios plugins. Probably to exploit those.

3. The offending request seems to be some kind of shell exploit that uses wget etc indeed.
However, even if Collabtive was involved - there is no code in Collabtive that can call any shell commands or run strings on the system console otherwhise (like wget). So Collabtive generally is not vulnerable to these sorts of attack.

So this seems to be an attack on your apache server, nagios or some other part of your stack rather than Collabtive.
User avatar
Philipp
Site Admin
 
Posts: 1118
Joined: 14.12.2007, 03:06
Location: Saarbrücken, germany


Return to Problems and Bugs

Who is online

Users browsing this forum: No registered users