Threaded Mode | Linear Mode

josesanch · 05-18-2012 07:51 PM

(05-18-2012 03:41 AM)kilburn Wrote: Antes que nada, puedes por favor facilitar los siguientes datos:

- OS/Distribución/Versión
- Log de las peticiones (cuando volvía a meterse dentro)
- Descripción de la intrusión: a qué tenían acceso? qué te han cambiado? etc...
- Tu archivo /etc/ispcp/ispcp.conf

En una revisión rápida no veo fallos de seguridad obvios (lo cual no quiere decir que no existan), así que cualquier detalle que puedas mencionar ayudará seguro a detectar el problema.

PD: Por el momento podeis desactivar esta funcionalidad entrando como administrador y yendo a "Settings" (Configuración? Parámetros?). Ahí verás la opción para deshabilitar lo de la contraseña perdida.

Buenas de nuevo.

La distribución es una debian lenny
La versión de php que tenía es 5.3.3-7+squeeze3 (Puede que esté afectada por un problema de seguridad, por que hoy estoy actualizando a squeeze y he visto eso CVE-2012-1823,CVE-2012-2311: Fix PHP-CGI query string parameter vulnerability)

Esto es parte del log
80.59.52.112 - - [17/May/2012:18:06:56 +0200] "GET / HTTP/1.1" 200 1436
80.59.52.112 - - [17/May/2012:18:06:56 +0200] "GET /themes/omega_original/css/ispcp.css HTTP/1.1" 200 2036
80.59.52.112 - - [17/May/2012:18:06:57 +0200] "GET /themes/omega_original/images/login/phpmyadmin.png HTTP/1.1" 200 2426
80.59.52.112 - - [17/May/2012:18:06:57 +0200] "GET /themes/omega_original/images/login/login_lock.jpg HTTP/1.1" 200 1336
80.59.52.112 - - [17/May/2012:18:06:57 +0200] "GET /themes/omega_original/images/login/filemanager.png HTTP/1.1" 200 2789
80.59.52.112 - - [17/May/2012:18:06:57 +0200] "GET /themes/omega_original/images/login/webmail.png HTTP/1.1" 200 2360
217.126.253.95 - - [17/May/2012:18:06:57 +0200] "POST /index.php HTTP/1.1" 200 721
80.59.52.112 - - [17/May/2012:18:06:58 +0200] "GET /themes/omega_original/images/login/login_top.jpg HTTP/1.1" 200 6244
80.59.52.112 - - [17/May/2012:18:06:58 +0200] "GET /themes/omega_original/images/button.jpg HTTP/1.1" 200 333
80.59.52.112 - - [17/May/2012:18:06:58 +0200] "GET /favicon.ico HTTP/1.1" 200 2462
83.45.11.50 - - [17/May/2012:18:07:01 +0200] "GET /lostpassword.php HTTP/1.1" 200 1114
83.45.11.50 - - [17/May/2012:18:07:01 +0200] "GET /imagecode.php HTTP/1.1" 200 1978
83.39.236.249 - - [17/May/2012:18:07:42 +0200] "GET / HTTP/1.1" 200 1436
83.39.236.249 - - [17/May/2012:18:07:42 +0200] "GET /themes/omega_original/css/ispcp.css HTTP/1.1" 200 2036
83.39.236.249 - - [17/May/2012:18:07:42 +0200] "GET /themes/omega_original/images/login/login_lock.jpg HTTP/1.1" 200 1336
83.39.236.249 - - [17/May/2012:18:07:42 +0200] "GET /themes/omega_original/images/login/phpmyadmin.png HTTP/1.1" 200 2426
83.39.236.249 - - [17/May/2012:18:07:42 +0200] "GET /themes/omega_original/images/login/filemanager.png HTTP/1.1" 200 2789
83.39.236.249 - - [17/May/2012:18:07:42 +0200] "GET /themes/omega_original/images/login/webmail.png HTTP/1.1" 200 2360
83.39.236.249 - - [17/May/2012:18:07:42 +0200] "GET /themes/omega_original/images/login/login_top.jpg HTTP/1.1" 200 6244
83.39.236.249 - - [17/May/2012:18:07:42 +0200] "GET /themes/omega_original/images/button.jpg HTTP/1.1" 200 333
83.39.236.249 - - [17/May/2012:18:07:42 +0200] "GET /favicon.ico HTTP/1.1" 200 2462
83.45.11.50 - - [17/May/2012:18:07:45 +0200] "POST /lostpassword.php HTTP/1.1" 200 906
83.45.11.50 - - [17/May/2012:18:07:45 +0200] "GET /themes/omega_original/images/login/content_line.png HTTP/1.1" 404 372
83.45.11.50 - - [17/May/2012:18:07:45 +0200] "GET /themes/omega_original/images/trans.png HTTP/1.1" 404 372
83.45.11.50 - - [17/May/2012:18:07:47 +0200] "GET /lostpassword.php HTTP/1.1" 200 1114
83.45.11.50 - - [17/May/2012:18:07:49 +0200] "GET /imagecode.php HTTP/1.1" 200 2157
80.59.52.112 - - [17/May/2012:18:07:48 +0200] "POST /index.php HTTP/1.1" 200 721
80.59.52.112 - - [17/May/2012:18:07:52 +0200] "GET / HTTP/1.1" 200 703
80.24.127.24 - - [17/May/2012:18:07:52 +0200] "GET / HTTP/1.1" 200 1436
80.24.127.24 - - [17/May/2012:18:07:52 +0200] "GET /themes/omega_original/css/ispcp.css HTTP/1.1" 200 2036
80.24.127.24 - - [17/May/2012:18:07:52 +0200] "GET /themes/omega_original/images/login/phpmyadmin.png HTTP/1.1" 200 2426
80.24.127.24 - - [17/May/2012:18:07:52 +0200] "GET /themes/omega_original/images/login/login_lock.jpg HTTP/1.1" 200 1336
80.24.127.24 - - [17/May/2012:18:07:52 +0200] "GET /themes/omega_original/images/login/filemanager.png HTTP/1.1" 200 2789
80.24.127.24 - - [17/May/2012:18:07:52 +0200] "GET /themes/omega_original/images/login/webmail.png HTTP/1.1" 200 2360
80.24.127.24 - - [17/May/2012:18:07:53 +0200] "GET /themes/omega_original/images/button.jpg HTTP/1.1" 200 333
80.24.127.24 - - [17/May/2012:18:07:53 +0200] "GET /themes/omega_original/images/login/login_top.jpg HTTP/1.1" 200 6244
80.24.127.24 - - [17/May/2012:18:07:53 +0200] "GET /favicon.ico HTTP/1.1" 200 2462
80.59.52.112 - - [17/May/2012:18:08:03 +0200] "GET / HTTP/1.1" 200 1436
80.24.127.24 - - [17/May/2012:18:08:12 +0200] "POST /index.php HTTP/1.1" 200 721
80.24.127.24 - - [17/May/2012:18:08:18 +0200] "GET / HTTP/1.1" 200 704
80.24.127.24 - - [17/May/2012:18:08:20 +0200] "GET / HTTP/1.1" 200 704
80.24.127.24 - - [17/May/2012:18:08:23 +0200] "GET / HTTP/1.1" 200 704
80.24.127.24 - - [17/May/2012:18:08:28 +0200] "GET / HTTP/1.1" 200 704
83.45.11.50 - - [17/May/2012:18:08:34 +0200] "POST /lostpassword.php HTTP/1.1" 200 906
83.45.11.50 - - [17/May/2012:18:08:35 +0200] "GET /themes/omega_original/images/login/content_line.png HTTP/1.1" 404 372
83.45.11.50 - - [17/May/2012:18:08:35 +0200] "GET /themes/omega_original/images/trans.png HTTP/1.1" 404 372
83.45.11.50 - - [17/May/2012:18:08:38 +0200] "GET /lostpassword.php HTTP/1.1" 200 1114
83.45.11.50 - - [17/May/2012:18:08:38 +0200] "GET /imagecode.php HTTP/1.1" 200 1973
80.24.127.24 - - [17/May/2012:18:08:47 +0200] "GET / HTTP/1.1" 200 1436
83.45.11.50 - - [17/May/2012:18:08:58 +0200] "POST /lostpassword.php HTTP/1.1" 200 702
80.24.127.24 - - [17/May/2012:18:09:04 +0200] "POST /index.php HTTP/1.1" 200 721
80.24.127.24 - - [17/May/2012:18:09:06 +0200] "GET / HTTP/1.1" 200 703
80.24.127.24 - - [17/May/2012:18:09:47 +0200] "GET / HTTP/1.1" 200 1436
80.24.127.24 - - [17/May/2012:18:09:47 +0200] "GET /themes/omega_original/css/ispcp.css HTTP/1.1" 304 -
80.24.127.24 - - [17/May/2012:18:09:47 +0200] "GET /themes/omega_original/images/login/phpmyadmin.png HTTP/1.1" 304 -
80.24.127.24 - - [17/May/2012:18:09:47 +0200] "GET /themes/omega_original/images/login/login_lock.jpg HTTP/1.1" 304 -
80.24.127.24 - - [17/May/2012:18:09:47 +0200] "GET /themes/omega_original/images/login/webmail.png HTTP/1.1" 304 -
80.24.127.24 - - [17/May/2012:18:09:47 +0200] "GET /themes/omega_original/images/login/filemanager.png HTTP/1.1" 304 -
80.24.127.24 - - [17/May/2012:18:09:48 +0200] "GET /themes/omega_original/images/button.jpg HTTP/1.1" 304 -
80.24.127.24 - - [17/May/2012:18:09:48 +0200] "GET /themes/omega_original/images/login/login_top.jpg HTTP/1.1" 304 -
80.24.127.24 - - [17/May/2012:18:09:52 +0200] "GET /lostpassword.php HTTP/1.1" 200 1114

Consiguieron acceso como un usuario del panel (usuario de dominio) hasta que no desactive el lostpassword.php seguia viendo que seguia entrando primero como desconocido y después como usuarios
17.05.2012 18:06 admin: killed user session: 03cbjndvrjf1b24a1bh9aid6d7!
17.05.2012 18:06 admin: killed user session: 03cbjndvrjf1b24a1bh9aid6d7!

Un saludo

Threaded Mode \| Linear Mode Problema de seguridad
Author	Message