Attempted unauthorized access? There is security risk?

RicardoSette · June 15, 2011, 3:35pm

[size="1"]Tentativa de acesso indevido? Existe risco na segurança?[/size]

I found a log on attempt to access a mail server through the control of the url Yii, look in the log:

[size="1"]eu encontrei no log uma tentativa de acesso a um servidor de email através do controle de url do Yii, vejam no log:[/size]


Stack trace:

2011/06/04 05:40:53 [error] [exception.CHttpException.404] exception 'CHttpException' with message 'Unable to resolve the request "maila.burst.idv.tw:25".' in /usr/home/www/dominios/xYxYxYxY/protected/yii114/framework/web/CWebApplication.php:328

Stack trace:

#0 /usr/home/www/dominios/xYxYxYxY/protected/yii114/framework/web/CWebApplication.php(121): CWebApplication->runController('maila.burst.idv...')

#1 /usr/home/www/dominios/xYxYxYxY/protected/yii114/framework/base/CApplication.php(135): CWebApplication->processRequest()

#2 /usr/home/www/dominios/xYxYxYxY/index.php(18): CApplication->run()

#3 {main} REQUEST_URI=maila.burst.idv.tw:25

2011/06/07 08:03:33 [error] [exception.CHttpException.404] exception 'CHttpException' with message 'Unable to resolve the request "maila.burst.idv.tw:25".' in /usr/home/www/dominios/xYxYxYxY/protected/yii114/framework/web/CWebApplication.php:328

Stack trace:

#0 /usr/home/www/dominios/xYxYxYxY/protected/yii114/framework/web/CWebApplication.php(121): CWebApplication->runController('maila.burst.idv...')

#1 /usr/home/www/dominios/xYxYxYxY/protected/yii114/framework/base/CApplication.php(135): CWebApplication->processRequest()

#2 /usr/home/www/dominios/xYxYxYxY/index.php(18): CApplication->run()

#3 {main} REQUEST_URI=maila.burst.idv.tw:25

2011/06/10 09:40:42 [error] [exception.CHttpException.404] exception 'CHttpException' with message 'Unable to resolve the request "maila.burst.idv.tw:25".' in /usr/home/www/dominios/xYxYxYxY/protected/yii114/framework/web/CWebApplication.php:328

Stack trace:

#0 /usr/home/www/dominios/xYxYxYxY/protected/yii114/framework/web/CWebApplication.php(121): CWebApplication->runController('maila.burst.idv...')

#1 /usr/home/www/dominios/xYxYxYxY/protected/yii114/framework/base/CApplication.php(135): CWebApplication->processRequest()

#2 /usr/home/www/dominios/xYxYxYxY/index.php(18): CApplication->run()

#3 {main} REQUEST_URI=maila.burst.idv.tw:25

I tried to simulate this log, adding the URL (maila.burst.idv.tw: 25) in the call, but was not equal

[size="1"]tentei simular este log, adicionando a URL(maila.burst.idv.tw:25) na chamada, mas nao ficou igual[/size]




11/06/15 11:46:01 [error] [exception.CHttpException.404] exception 'CHttpException' with message 'Unable to resolve the request "maila.burst.idv.tw:25".' in /usr/home/www/dominios/bsdapps.com.br/protected/yii114/framework/web/CWebApplication.php:328

Stack trace:

#0 /usr/home/www/dominios/xYxYxYxY/protected/yii114/framework/web/CWebApplication.php(121): CWebApplication->runController('maila.burst.idv...')

#1 /usr/home/www/dominios/xYxYxYxY/protected/yii114/framework/base/CApplication.php(135): CWebApplication->processRequest()

#2 /usr/home/www/dominios/xYxYxYxY/index.php(18): CApplication->run()

#3 {main} REQUEST_URI=/index.php/maila.burst.idv.tw:25

how he managed to make this request in Yii without passing index.php?

[size="1"]como que ele conseguiu fazer esta requisição no Yii sem passar o index.php ?[/size]

I found other people having this same problem, my concern is: is being made a request to this URL (maila.burst.idv.tw: 25)

[size="1"]encontrei outras pessoas tendo este mesmo problema, minha grande preocupação é: será que está sendo feita uma requisição para esta URL(maila.burst.idv.tw:25)[/size]

these links below, we detected the same problem, and apparently, URL (maila.burst.idv.tw: 25) is the victim in the play

[size="1"]nestes links abaixo, foi detectado o mesmo problema, e pelo visto, URL(maila.burst.idv.tw:25) é a vítima na brincadeira[/size]

groups.google.com/group/news.admin.net-abuse.email/browse_thread/thread/6a1898b8ec3d04ff

www.democraticunderground.com/discuss/duboard.php?az=view_all&address=105x8940761

leda-ekb.ru/stat/usage_200812.html

I know that my English is bad, but is also part of the blame google, he’s still learning, maybe one day stays 99.99%

twisted1919 · June 15, 2011, 5:20pm

I don’t see a security risk at all.

All the requests go through yii bootstrap file, that’s why you are able to see the logged messages.

If somehow, your server has many hostnames therefore many virtual hosts, and your YII app resides in the default one, then any attempt to resolve a hostname not having a virtual host will end up calling your YII app and logging these messages, but even in this way, if your yii app is secured (meaning you clean the POST/GET vars and you bind the database params) there is no security risk.

It is interesting though, that the SMTP 25 port is requested.

I say this because, if a server has a HTTP service on, running on port 80 and a SMTP server running on port 25, when you access the hostname on the 80 port, the http server will respond, if you do it on port 25, then the smtp server will, in this case, bypassing the HTTP server therefore the YII installation.

Anyway, i can just say you have nothing to worry about because of YII, but you should still search for newer exploits that regards the HTTP server / SMTP server directly, just to be sure your server is not compromised.

jacmoe · June 15, 2011, 5:49pm

If you’re concerned about security then you could - besides checking out Twisteds extension(s) - run your site through PHPIDS:

http://www.yiiframework.com/extension/phpids

That should give an idea of how secure your site is.