08 June 2010

Reading the logs ...

I see the following from logwatch in the overnight log file review:

 --------------------- httpd Begin ------------------------

Requests with error response codes
404 Not Found
/crossdomain.xml: 1 Time(s)

---------------------- httpd End -------------------------

and so I go digging:

[root@centos-5 httpd]# cat error_log
[Sun Jun 06 04:02:04 2010] [notice] Digest: generating secret for digest authentication ...
[Sun Jun 06 04:02:04 2010] [notice] Digest: done
[Sun Jun 06 04:02:05 2010] [notice] Apache/2.2.3 (CentOS) configured -- resuming normal operations
[Mon Jun 07 14:20:39 2010] [error] [client 127.0.0.2] File does not exist: /var/www/html/crossdomain.xml

Sure enough. It looks as though some piece of Flash code is hoping to 'leverage' a cross-domain permission to include something I may not have intentionally intended to allow.

See the note at: http://kb2.adobe.com/cps/142/tn_14213.html

For the sake of argument, assume you HAD to web view as root, as say with an operating system that required you use a browser front end to access system updates. Assume also that you improvidently viewed a 'seeder' of bad things that WROTE a hostile crossdomain.xml for later use by a second piece of hostile Flash to 'reap'

Oops ... game over